AXIS Insurance Company 
111 S. Wacker Drive, Suite 3500 
Chicago, IL 60606 


CERTIFICATE OF INSURANCE 


THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE 
HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE 
AFFORDED BY THE POLICY BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN 
THE ISSUING INSURER), AUTHORIZED REPRESENTATIVE OR PRODUCER AND THE CERTIFICATE HOLDER. 


THIS INSURANCE POLICY PROVIDES COVERAGE ON A CLAIMS-MADE BASIS AND APPLIES ONLY TO CLAIMS FIRST MADE 
DURING THE POLICY PERIOD. CLAIMS OR POTENTIAL CLAIMS MUST BE REPORTED TO AXIS INSURANCE COMPANY 
WITHIN 60 DAYS OF FIRST KNOWLEDGE. 

This Certificate of Insurance names the certificate holder who qualifies as an insured entity under the AXIS PRO® 
PRIVASURE™ Policy identified in Item 2 below. It also lists the coverage effective date, coverage expiration date and the 


Certificate Holder Limit of Liability that applies to the certificate holder named in Item 1 of this Certificate. This Certificate 
does not amend, extend, or alter the coverage provided by the policy identified in Item 2 below in any way. 


Insureds’ Representative: North American Data Security RPG 


Item 1. CERTIFICATE HOLDER (ENROLLEE): 
Name: DMA, Inc. 


Address: 3015 E Randol Mill Road 


Arlington TX 76011 

Item 2. POLICY NUMBER: NAD 110004-02-2018 
Item 3. CERTIFICATE ISSUE DATE: 11/1/2018 
Item 4. COVERAGE PERIOD: 

From: 11/1/2018 To: 11/1/2019 

(At 12:01 A.M. standard time at the address stated in Item 1 above.) 
Item 5. ENROLLEE NUMBER: 12345 
Item 6. TYPE OF INSURANCE: [Enterprise Security Event & Privacy Regulation Liability 
Item 7. ENROLLEE AGGREGATE LIMIT OF INSURANCE: $100,000. 


(including claim expenses) 


Item 8. ANNUAL ENROLLEE PREMIUM: Refer to Administrator 
(includes insurance premium as well as separate fees for other 
services provided not applicable to such insurance) 


Item 9. RETROACTIVE DATE: Full Prior Acts. 


DECLARATIONS 


AXIS PRO” PRIVASURE™ 


SOLELY AS RESPECTS CLAIMS-MADE LIABILITY COVERAGES UNDER THIS POLICY: THIS INSURANCE POLICY 
PROVIDES COVERAGE ON A CLAIMS-MADE BASIS AND APPLIES ONLY TO CLAIMS FIRST MADE AGAINST THE 
INSURED DURING THE POLICY PERIOD OR ANY APPLICABLE EXTENDED REPORTING PERIOD. CLAIMS MUST 
BE REPORTED TO THE INSURER AS SET FORTH IN THE SECTION ENTITLED REPORTING OF CLAIMS AND 
EVENTS. CLAIM EXPENSES ARE INCLUDED IN THE POLICY LIMIT OF INSURANCE, AND PAYMENT THEREOF 
WILL ERODE, AND MAY EXHAUST, THE POLICY LIMIT OF INSURANCE. 


North American Data Security RPG Ar N S OKETA GE 
NAMED , BROKER OF 2851 Charlevoix Drive, SE, Suite 
INSURED 3310 W Big Beaver Road RECORD 220 
T MI 48084 
POY; MRADI Grand Rapids, MI 49546 
AXIS Insurance Company 
111 S. Wacker Drive, Suite 3500 
INSURER Chicago, IL 60606 
(866) 259-5435 
A Stock Insurer 
POLICY 
NUMBER NAD 110004/02/2018 RENEWAL OF NAD 110004/01/2018 
eat AXIS PRO® PRIVASURE™ Insurance Policy PVSR-101 (08-16) 
Effective Date: 01/01/2020 
POLICY Expiration Date: 01/01/2021 RETROACTIVE : 
Full Prior Acts 
PERIOD Both dates at 12:01 a.m. at the Named DATE 
Insured’s address stated herein. 


TOTAL POLICY PREMIUM per enrollee per month 


Refer to Program Administrator 


LIMITS OF INSURANCE 


Policy Limit of Insurance per enrollee $100,000 
Claims-Made Liability Coverages Limits of Insurance 
Aggregate Claims-Made Liability Coverages Limit of Insurance $100,000 
Each Enterprise Security Event Claim Limit of Insurance $100,000 
Each Privacy Regulation Claim Limit of Insurance $100,000 
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AXIS PRO” PRIVASURE™ 


Aggregate Claims-Made Coverages Limit of Insurance 


$100,000 


Each Enterprise Security Event Claim Limit of Insurance 


$100,000 


Each Privacy Regulation Claim Limit of Insurance 


$100,000 


First Party Coverages Limits of Insurance 


Aggregate First Party Coverages Limit of Insurance $100,000 
Crisis Management Expense Limit of Insurance $100,000 
Fraud Response Expense Limit of Insurance $100,000 
Public Relations Expense Limit of Insurance $100,000 
Forensic and Legal Expense Limit of Insurance $ 25,000 
Extortion Loss Limit of Insurance $ 10,000 
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RETENTIONS 
Aggregate Policy Level Retention $0 
Claims-Made Liability Coverage Retention 
Each Claim Retention $0 
First Party Coverages Retention 
Aggregate First Party Coverages Retention $0 
Crisis Management Expense Retention $0 
Fraud Response Expense Retention $0 
Public Relations Expense Retention $0 
Forensic and Legal Expense Retention $0 
Extortion Loss Retention $0 


SCHEDULE OF ADDITIONAL COVERAGE 


SCHEDULE OF PCI-DSS FINES COVERAGE 


Limits of Insurance 


Each PCI-DSS Claim $100,000 
Retention 

Aggregate PCI-DSS Fines Claim Retention $0 

PCI-DSS Fines Claim Retroactive Date N/A 


NOTE: If no PCI-DSS Fines Claim Retroactive Date is stated in this Schedule, 
the Retroactive Date for this coverage will be the Retroactive Date stated on the Declarations. 


SCHEDULE OF RANSOMEWARE LOSS COVERAGE 


Ransomware Loss Limit of Insurance 


$10,000 


Ransomware Loss Retention 


$0 


SCHEDULE OF SOCIAL ENGINEERING FRAUD LOSS COVERAGE 


Social Engineering Fraud Loss Limit of Insurance 


$10,000 


Social Engineering Fraud Loss Retention 


$0 


SCHEDULE OF TELECOMMUNICATIONS THEFT LOSS COVERAGE 


Telecommunications Theft Loss Limit of Insurance 


$10,000 


Telecommunications Theft Loss Retention 


$0 
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FORMS 


Policyholder Notice — Economic and Trade Sanctions 


AXIS 906 0316 


Michigan Disclaimer Notice 


AXIS MI901 0815 


Pollicyholder Disclosure — Notice of Terrorism Insurance 


TRIA Disclosure 0115 


Michigan Amendatory Endorsment 


AXIS 1010710 0117 


AXIS eRISK HUB 


AXIS 143 (09-15) 


Signature Page 


AXIS 102 AIC (06-15) 


Payment Card Industry Data Security Standards 
Coverage Endorsement 


AXIS 101 0033A (04-17) 


Social Engineering Fraud Coverage Endorsement 


AXIS 101 0035 (01-17) 


Telecommunications Theft Loss Coverage Endorsement 


AXIS 101 0036 (01-17) 


Application Reliance Endorsement 


AXIS140 0815 


Cancellation and Nonrenewal Endorsement - Michigan 


AXIS 801 MI (06-15) 


Privacy Regulation Definition Change Endorsement - 
GDPR 


AXIS 1011317 1217 


Mitigation Expense Coverage Endorsement 


MANU-6548 (08-18) 


Insured Entity Change Endorsement 


MANU-RGS4 (08-18) 


PrivaSure Enhancement Endorsement 


PVSR 324 0116 


PrivaSure Insurance Policy 


PVSR-101 (08-16) 


Ransomware Loss Coverage Endorsement 


AXIS 101 0034 (01-17) 


PCI Re-Certification Services Expense Change 
Endorsement 


AXIS 101 0038 (01-17) 


NOTICES TO INSURER 


Send Notice of Claims To: 


Claims Department 
AXIS Insurance 


P.O. Box 4470 
Alpharetta, GA 30023-4470 


Email: USFNOL@axiscapital.com 
Phone (Toll-Free): (866) 259-5435 
Phone: (678) 746- 9000 
Fax: (678) 746-9315 


Send All Other Notices And Inquiries To: 


AXIS Insurance 


11680 Great Oaks Way 
Suite 500 
Alpharetta, GA 30022 


Email: notices@axiscapital.com 
Phone (Toll-Free): (866) 259-5435 
Phone: (678) 746- 9000 
Fax: (678) 746-9315 
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SCHEDULE OF SERVICE PROVIDER FOR LEGAL SERVICES 

Contact Details: 
RGS Breach Hotline 
Service Provider: Number: (844) 591-5997 


Notifications Email: rgs.breachhotline@mullen.law 

Mullen Coughlin LLC 

This hotline is available 7 days a week, including holiday to 
meet your emergency needs. 
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POLICYHOLDER NOTICE 
ECONOMIC AND TRADE SANCTIONS 


This Notice provides information concerning possible impact on your insurance coverage due to directives 
issued by the Office of Foreign Assets Control (OFAC). 


THE OFFICE OF FOREIGN ASSETS CONTROL ("OFAC") OF THE US DEPARTMENT OF THE TREASURY 
ADMINISTERS AND ENFORCES ECONOMIC AND TRADE SANCTIONS BASED ON US FOREIGN POLICY AND 
NATIONAL SECURITY GOALS AGAINST TARGETED FOREIGN COUNTRIES AND REGIMES, TERRORISTS, 
INTERNATIONAL NARCOTICS TRAFFICKERS, THOSE ENGAGED IN ACTIVITIES RELATED TO THE 
PROLIFERATION OF WEAPONS OF MASS DESTRUCTION, AND OTHER THREATS TO THE NATIONAL 
SECURITY, FOREIGN POLICY OR ECONOMY OF THE UNITED STATES. 


WHENEVER COVERAGE PROVIDED BY THIS POLICY WOULD BE IN VIOLATION OF ANY U.S. ECONOMIC OR 
TRADE SANCTIONS, SUCH COVERAGE SHALL BE NULL AND VOID. 


FOR MORE INFORMATION, PLEASE REFER TO: 


HTTPS://WWW.TREASURY.GOV/RESOURCE-CENTER/SANCTIONS/PAGES/DEFAULT.ASPX 
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Endorsement No. Effective Date of Endorsement Policy Number 


12:01 a.m. on 


NA If the above date is blank, then this endorsement | See Declarations Page NA 
is effective on the effective date of the Policy. 


MICHIGAN DISCLAIMER NOTICE 


THIS POLICY IS EXEMPT FROM THE FILING REQUIREMENTS OF MCL 500.2236. 


AXIS MI 901 (08-15) 


POLICYHOLDER DISCLOSURE 
NOTICE OF TERRORISM INSURANCE COVERAGE 


The Terrorism Risk Insurance Act established a program (Terrorism Risk Insurance Program) within the Department of 
the Treasury, under which the federal government shares, with the insurance industry, the risk of loss from future terrorist 
attacks. You are hereby notified that an "act of terrorism", as defined in Section 102(1) of the Terrorism Risk Insurance 
Act , as amended (the "Act"), means any act that is certified by the Secretary of the Treasury—in consultation with the 
Secretary of Homeland Security, and the Attorney General of the United States—to be an act of terrorism; to be a violent 
act or an act that is dangerous to human life, property, or infrastructure; to have resulted in damage within the United 
States, or outside the United States in the case of certain air carriers or vessels or the premises of a United States 
mission; and to have been committed by an individual or individuals as part of an effort to coerce the civilian population of 
the United States or to influence the policy or affect the conduct of the United States Government by coercion. Under your 
coverage, any losses resulting from certified acts of terrorism may be partially reimbursed by the United States 
Government under a formula established by the Terrorism Risk Insurance Act, as amended. However, your policy may 
contain other exclusions which might affect your coverage, such as an exclusion for nuclear events. Under the formula, 
the United States Government generally reimburses 85% through 2015; 84% beginning on January 1, 2016; 83% 
beginning on January 1, 2017; 82% beginning on January 1, 2018; 81% beginning on January 1, 2019 and 80% 
beginning on January 1, 2020, of covered terrorism losses exceeding the statutorily established deductible paid by the 
insurance company providing the coverage. The Terrorism Risk Insurance Act, as amended, contains a $100 billion cap 
that limits U.S. Government reimbursement as well as insurers’ liability for losses resulting from certified acts of terrorism 
when the amount of such losses exceeds $100 billion in any one calendar year. If the aggregate insured losses for all 
insurers exceed $100 billion, your coverage may be reduced. 


Please note that your policy includes the terrorism coverage required to be offered by the Act, and that no separate 
additional premium charge has been made for such terrorism coverage. The policy premium does not include any 
charges for the portion of losses covered by the United States government under the Act. 


NOTICE TO BROKER 
MANDATORY POLICYHOLDER DISCLOSURE 
RE: TERRORISM INSURANCE COVERAGE 


We are required by the Terrorism Risk Insurance Act, as amended (the “Act”), to provide policyholders with clear and 
conspicuous disclosures. This notice must be provided at the time of offer and renewal of the policy. 


Includes copyrighted material 2015 National Association of Insurance Commissioners 
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is effective on the effective date of the Policy. 


Endorsement No. Effective Date of Endorsement Policy Number Premium 
12:01 a.m. on 
NA If the above date is blank, then this endorsement | See Declarations Page NA 


It is agreed that: 


MICHIGAN AMENDATORY ENDORSEMENT 


|. The General Condition Action Against the Insurer is deleted in its entirety and replaced with the following: 


In the event execution of a judgment against the Insured is returned unsatisfied in an action brought by the 
injured person or claimant or such person’s estate because of insolvency or bankruptcy of the Insured, then an 
action may be maintained in the nature of a writ of garnishment by the injured person or claimant against the 
Insurer under the terms of the Policy to the extent of the Policy's coverage for the amount of the judgment 
obtained against the Insured not to exceed the Policy’s Limit of Liability as provided in the Declarations. 


ll. The following is added to the policy: 


The failure to provide notice of a Claim within the time prescribed shall not invalidate a Claim if the Insured 
shows that it was not reasonably possible to provide such notice, and such notice was provided as soon as 
practicable after it became possible for the Insured to provide such notice. Notice of Claim may be provided to 
any authorized agent of the Insurer located within the state of Michigan. 


All other provisions of the policy remain unchanged. 
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POLICYHOLDER NOTICE 
AXIS eRISK HUB 
This notice shall not be construed as part of your policy nor shall it be construed to replace any provisions of your policy. 
This notice provides information about the AXIS eRisk Hub®. 


Maintained by NetDiligence®, the AXIS eRisk Hub® is a private web-based portal available to select AXIS policyholders 
and features specialized content and risk management tools to improve preparedness and facilitate response to network 
and data security events. 


The AXIS eRisk Hub® is private and secure. Do not share access or access instructions outside of your organization. 
To register for the AXIS eRisk Hub®: 

1. Goto https://eriskhub.com/axis 

2. Complete the registration form 

3. Enter 10745 in the Access Code field 

4. Login with the User ID and Password you established during the registration process 


No more than three individuals may register for the AXIS eRisk Hub® with this policy. Registered users have unlimited 
access during the policy period and must cease use upon the effective date of cancellation or expiration unless a renewal 
policy is purchased. 
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AXIS PRO® PRIVASURE™ INSURANCE POLICY 


Except for section and paragraph headings, all words in bold have a special meaning as set forth in the section entitled 
DEFINITIONS. Section and paragraph headings are provided for informational purposes only and do not have special 
meaning. 


SOLELY AS RESPECTS CLAIMS-MADE LIABILITY COVERAGES UNDER THIS POLICY: THIS INSURANCE POLICY 
PROVIDES COVERAGE ON A CLAIMS-MADE BASIS AND APPLIES ONLY TO CLAIMS FIRST MADE AGAINST THE 
INSURED DURING THE POLICY PERIOD OR ANY APPLICABLE EXTENDED REPORTING PERIOD. CLAIMS MUST 
BE REPORTED TO THE INSURER AS SET FORTH IN THE SECTION ENTITLED REPORTING OF CLAIMS AND 
EVENTS. CLAIM EXPENSES ARE INCLUDED IN THE LIMITS OF INSURANCE, AND PAYMENT THEREOF WILL 
ERODE, AND MAY EXHAUST, THE POLICY LIMIT OF INSURANCE. 


In consideration of the payment of the premium and in reliance on the statements in the Application and subject to all 
other terms and conditions of this policy, the Insurer designated on the Declarations and the Named Insured, on behalf of 
all Insureds, agree to the following: 


CLAIMS-MADE LIABILITY COVERAGES 


The following Coverages apply if the Declarations displays a Limit of Insurance for such Coverage: 
A. Enterprise Security Event Liability Coverage 


The Insurer will pay those Damages, in excess of the applicable retention and within the applicable Limit of 
Insurance, that the Insured becomes legally obligated to pay because of an Enterprise Security Event Claim, 
provided that: 


1. such Enterprise Security Event Claim is first made against the Insured during the Policy Period or any 
applicable Extended Reporting Period and is reported to the Insurer in accordance with section entitled 
REPORTING OF CLAIMS AND EVENTS; 


2. the Enterprise Security Event giving rise to the Enterprise Security Event Claim first occurred on or after 
the Retroactive Date and prior to the end of the Policy Period and is reported to the Insurer in accordance 
with section entitled REPORTING OF CLAIMS AND EVENTS; and 


3. as of the First Inception Date, no Control Group Insured: 
a. had given notice to any insurer of any: 
i. Related Enterprise Security Event Claim; 


ii. act, error, omission, fact or circumstance, including any Related Enterprise Security Event, 
reasonably likely to give rise to an Enterprise Security Event Claim; or 


b. knew, or had a basis to believe, that any: 
i. Related Enterprise Security Event Claim had been made; or 


ii. act, error, omission, fact or circumstance, including any Related Enterprise Security Event, was 
reasonably likely to give rise to an Enterprise Security Event Claim. 


The Insurer will also pay all Claim Expenses in excess of any applicable retention in connection with such Claim. 
Claim Expenses are included within and erode the applicable Limits of Insurance. 
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B. Privacy Regulation Liability Coverage 


The Insurer will pay that Regulatory Loss, in excess of the applicable retention and within the applicable Limit of 
Insurance, that an Insured becomes legally obligated to pay because of a Privacy Regulation Claim alleging 
such Insured or others for whom such Insured is legally liable violated a Privacy Regulation, provided that: 


1. such Privacy Regulation Claim is first made against the Insured during the Policy Period or any applicable 
Extended Reporting Period and is reported to the Insurer in accordance with section entitled REPORTING 
OF CLAIMS AND EVENTS; 


2. the Enterprise Security Event giving rise to the Privacy Regulation Claim first occurred on or after the 
Retroactive Date and prior to the end of the Policy Period and is reported to the Insurer in accordance with 
section entitled REPORTING OF CLAIMS AND EVENTS; and 


3. as of the First Inception Date, no Control Group Insured: 


a. had given notice to any insurer of any Related Privacy Regulation Claim or of any Related Violation 
reasonably likely to give rise to a Privacy Regulation Claim; 


b. knew, or had a basis to believe, that any Related Privacy Regulation Claim had been made or that any 
Related Violation was reasonably likely to give rise to a Privacy Regulation Claim. 


The Insurer will also pay all covered Claim Expenses in excess of any applicable retention in connection with any 
such Claim. Claim Expenses are included within and erode the applicable Limits of Insurance. 


FIRST PARTY COVERAGES 


The following Coverages apply if the Declarations displays Limits of Insurance for such Coverage: 
A. Crisis Management and Fraud Prevention Expense Coverages 
The Insurer will pay the Insured Entity for: 
1. Crisis Management Expense; 
2. Fraud Response Expense; 
3. Public Relations Expense; and 
4. Forensic and Legal Expense, 


incurred to respond to an Enterprise Security Event that occurs or that the Insured Entity reasonably believes 
has occurred, in excess of the applicable retention and within the applicable Limits of Insurance. 


B. Computer System Extortion Coverage 


The Insurer will pay the Insured Entity for Extortion Loss incurred because of an Extortion Threat, in excess of 
the applicable retention and within the applicable Limits of Insurance. 


It is a condition precedent to coverage under the First Party Coverages that: 
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1. the Insured notifies the Insurer of such Extortion Threat, or of an Enterprise Security Event that occurred, 
or that the Insured reasonably believes has occurred, as applicable, in accordance with the section entitled 
REPORTING OF CLAIMS AND EVENTS; 


2. the Enterprise Security Event or Extortion Threat, as applicable, first occurred during the Policy Period; 
and 


3. as of the First Inception Date, no Control Group Insured: 
a. had given notice to any insurer of any: 
i. Related Enterprise Security Event or Related Extortion Threat, as applicable; 


ii. act, error, omission, fact or circumstance reasonably likely to give rise to such Enterprise Security 
Event or Extortion Threat, as applicable; 


b. knew, or had a basis to believe, that any: 
i. Related Enterprise Security Event or Related Extortion Threat, as applicable, had occurred; 


ii. act, error or omission, fact or circumstance reasonably likely to give rise to an Enterprise Security 
Event or Extortion Threat had occurred. 


SUPPLEMENTAL BENEFITS 


Breach Preparedness Information Services 


The Insurer will provide Breach Preparedness Information Services to the Insured Entities during the Policy Period, 
even if an Enterprise Security Event has not yet occurred. This supplementary service will be provided to the Insured 
Entities without premium or fee. 


LIMITS OF INSURANCE, RETENTION AND REIMBURSEMENT 


A. Multiple Insureds, Claims, Claimants 


The Limits of Insurance will not exceed the amounts stated respectively on the Declarations no matter how many 
Insureds are covered, Claims or Extortion Threats are made against the Insureds, or violations of Privacy 
Regulations or Enterprise Security Events occur. 


B. Limits of Insurance 
1. Policy Limit of Insurance 


The Policy Limit of Insurance stated on the Declarations is the most the Insurer will pay for all amounts 
covered under this policy. 


2. Claims-Made Liability Coverages Limits of Insurance 


a. Aggregate Claims-Made Liability Coverages Limit of Insurance 
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Subject to the Policy Limit of Insurance, the Aggregate Claims-Made Liability Coverages Limit of 
Insurance set forth on the Declarations is the most the Insurer will pay for all covered amounts for all 
applicable Claims-Made Liability Coverages. 


b. Each Enterprise Security Event Claim Limit of Insurance 


Subject to the Policy Limit of Insurance and to the Aggregate Claims-Made Liability Coverages Limit of 
Insurance, the Each Enterprise Security Event Claim Limit of Insurance stated on the Declarations is 
the most the Insurer will pay for all covered Damages and Claim Expenses in connection with each such 
Enterprise Security Event Claim. 


c. Each Privacy Regulation Claim Limit of Insurance 


Subject to the Policy Limit of Insurance and to the Aggregate Claims-Made Liability Coverages Limit of 
Insurance, the Each Privacy Regulation Claim Limit of Insurance stated on the Declarations is the most 
the Insurer will pay for all covered Regulatory Loss and Claim Expenses in connection with each such 
Privacy Regulation Claim. 


3. First Party Coverages Limit of Insurance 
a. Aggregate First Party Coverages Limit of Insurance 


Subject to the Policy Limit of Insurance, the Aggregate First Party Coverages Limit of Insurance set forth 
on the Declarations is the most the Insurer will pay for all covered amounts applicable to all First Party 
Coverages. 


b. Each Expense/Extortion Loss Limit of Insurance 


Subject to the Policy Limit of Insurance and to the Aggregate First Party Coverages Limit of Insurance, 
the applicable Crisis Management Expense, Fraud Response Expense, Public Relations Expense, 
Forensic and Legal Expense and Extortion Loss Limit of Insurance set forth on the Declarations is the 
most the Insurer will pay for each such covered expense or Extortion Loss. 


C. Retention 


If a retention is indicated on the Declarations, the Insured is responsible for payment of such retention. All 
retentions will be borne by the Insureds uninsured and at their own risk. The Insurer’s obligation to pay any 
amounts under this policy is excess of the applicable retention. The Limits of Insurance will not be reduced by the 
payment of any retention. 


1. Aggregate Policy Level Retention 


The Aggregate Policy Level Retention set forth on the Declarations, if any, is the most the Insured will be 
required to pay under the policy as Damages, Regulatory Loss, Claim Expenses, Crisis Management 
Expense, Fraud Response Expense, Public Relations Expense, Forensic and Legal Expense or 
Extortion Loss, regardless of the number of Claims, Enterprise Security Events or Extortion Threats. 


2. Claims-Made Liability Coverage Retention 


Subject to the Aggregate Policy Level Retention, the Each Claim Retention stated on the Declarations, if any, 
will apply to each Claim. 


3. Aggregate First Party Coverages Retention 
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Subject to the Aggregate Policy Level Retention, the Aggregate First Party Coverages Retention set forth on 
the Declarations, if any, is the most the Insured will be required to pay under the policy as Crisis 
Management Expense, Fraud Response Expense, Public Relations Expense, Forensic and Legal 
Expense or Extortion Loss, regardless of the number of Enterprise Security Events or Extortion Threats. 


4. First Party Coverages Retentions 


Subject to the Aggregate Policy Level Retention and the Aggregate First Party Coverages Retention, the 
applicable Crisis Management Expense Retention, Fraud Response Expense Retention, Public Relations 
Expense, Retention Forensic and Legal Expense Retention and Extortion Loss Retention set forth on the 
Declarations, if any, is the most the Insured will be required to pay under the policy for such covered expense 
or Extortion Loss, regardless of the number of Enterprise Security Events or Extortion Threats. 


D. If the Insurer has paid any amounts in excess of any applicable Limit of Insurance, any amounts paid in excess of 
the Insurer’s obligation to pay pursuant to Defense and Settlement of Claims, paragraph B., or amounts paid in 
connection with Claims, Enterprise Security Events, or Extortion Threats for which this policy does not afford 
coverage, or if the Insurer has paid part or all of the retention, the Insurer will have the right to seek recovery from 
the Named Insured for any such amounts. 


DEFENSE AND SETTLEMENT OF CLAIMS 


A. The Insurer will have the right and duty to defend a covered Claim, even if the allegations are groundless, false or 
fraudulent. 


B. The Insurer will have the right to appoint counsel on the Insured’s behalf and to investigate and settle a covered 
Claim as is deemed necessary by the Insurer. However, the Insurer will not settle a Claim without the Insured’s 
consent, such consent not to be unreasonably withheld. If the Insurer recommends a settlement of a Claim which 
is acceptable to the claimant, and the Insured refuses to consent to such settlement, then the Insurer’s obligation 
to pay Damages, Regulatory Loss and Claim Expenses on account of such Claim, will not exceed the sum of 
the amount for which the Insurer could have settled such Claim plus Claim Expenses incurred prior to the date 
of such settlement offer, plus fifty percent (50%) of Damages, Regulatory Loss and Claim Expenses combined 
that are incurred after the date of the Insured’s refusal to consent to such settlement. However, in no event will 
the Insurer’s liability exceed the applicable Limits of Insurance. 


C. The Insureds will not settle any Claim, pay any Damages or Regulatory Loss, incur any Claim Expenses, 
admit or assume any liability, stipulate to any judgment, or otherwise assume any obligation with respect to a 
Claim without the Insurer’s prior written consent. Notwithstanding the foregoing, if all applicable Insureds are 
able to fully and finally dispose with prejudice such Claim for an amount within the applicable retention, including 
Claim Expenses, then the Insurer's consent will not be required for such disposition. 


D. The Insurer’s right and duty to defend or pay Insureds ends when the applicable Limit of Insurance has been 
exhausted. 


EXCLUSIONS 


A. Exclusions Applicable to Claims-Made Liability Coverages 
This policy does not provide coverage for Claims: 


e Bodily Injury or Property Damage 
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based upon or arising out of: 


1. Bodily Injury except that this exclusion does not apply to mental injury or mental anguish if directly 
resulting from an Enterprise Security Event involving Protected Personal Information that gives rise to 
an Enterprise Security Event Claim. 


2. Property Damage. 
e Contractual Liability 


for, based upon or arising out of any breach of contract, representation, warranty or guarantee, except, 
however, this exclusion does not apply to Claims: 


1. based upon the Insured’s liability that would have attached in the absence of such contract or 
agreement, or 


2. for anInsured’s breach of an obligation, to maintain the security or confidentiality of Protected Data. 
e Fraudulent or Intentional Misconduct 


based upon or arising out of any act, error or omission that is dishonest, fraudulent, criminal, malicious or 
intentionally committed by an Insured while knowing it was wrongful or unauthorized. However, the Insurer 
will provide a defense and pay Claim Expense unless or until such conduct is evidenced by any judgment, 
final adjudication, alternate dispute resolution proceeding, or by admission by the Insured. 


This exclusion only applies to any Insured who is found to have committed such conduct by any trial verdict, 
court ruling, or regulatory ruling. 


For the purpose of applying this exclusion: 


1. the acts, errors or omissions of any current or former partner, officer, or director of any Insured Entity will 
be imputed to the Insured Entity; 


2. the acts, errors or omissions of any Individual Insured will not be imputed to any other Individual 
Insured. 


e Insured versus Insured 
made by, on behalf of or for the benefit of any Insured Entity. 
e Intellectual Property 


based upon or arising out of any actual or alleged infringement, contributory infringement, misappropriation or 
theft of any intellectual property rights by the Insured, including, but not limited to patent, copyright or 
trademark, service mark, trade dress, trade secret, or trade slogan. 


e Owned Entity 


made by, on behalf of or for the benefit of any entity that is a parent of the Named Insured, joint venturer or 
co-venturer of any Insured Entity, or other entity in which any Insured is a partner, and including any entity 
directly or indirectly controlled, operated or managed by such an entity. 
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e Pollution 
based upon, arising out of, directly or indirectly resulting from, in consequence of, or in any way involving: 
1. any nuclear reaction, radiation, or contamination; 


2. the actual, alleged or threatened discharge, release, escape, seepage, migration, dispersal, or disposal of 
Pollutants anywhere or anytime or the creation of any injurious condition involving Pollutants; or 


3. any direction, request, demand or order that the Insureds test for, monitor, clean up, remove, contain, 
treat, detoxify, or neutralize Pollutants; 


whether or not the events described in a, b, or c above were sudden, accidental, gradual, intended, expected 
or preventable, and whether or not any Insured caused or contributed to such event. 


B. Exclusions Applicable to Computer System Extortion Coverage 
This policy does not apply to cover any amounts in connection with an Extortion Threat made by: 


1. any entity which is a parent, affiliate, joint venturer or co-venturer of any Insured Entity, or other entity in 
which any Insured is a partner, including any individual who is an employee, officer or director thereof; 


2. any entity directly or indirectly controlled, operated or managed by an entity described in B.1., above, 
including any individual who is an employee, officer or director thereof; 


3. any Insured Entity; 


4. any individual or business entity with whom the Insured has entered into an agreement to provide or receive 
services. 


C. Exclusions Applicable to All Coverages 


This policy does not cover any amounts due to, in connection with or arising out of, or Claims based upon or 
arising out of: 


e Securities Law Violations 


violation of the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Advisers Act of 
1940, any state blue sky or securities law, any similar state or federal law, or any amendment to the above 
laws or any violation of any order, ruling or regulation issued pursuant to the above laws; except that this 
exclusion does not apply to a Privacy Regulation Claim. 


e Unlawful or Unauthorized Use of Information 


Any unlawful or unauthorized collection, acquisition or use of personal information by the Insured, including 
the use of such information to send unsolicited communications, faxes or emails, or any failure to comply with 
legal requirements or obligations relating to a person’s consent to the acquisition, collection, or use of 
personal information; except, however, this exclusion does not apply with respect to a Privacy Regulation 
Claim. 


e Violation of Statute 
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any actual or alleged violation of any federal, state, or local statute, ordinance, or regulation, including but not 
limited to the Telephone Consumer Protection Act, the Can-Spam Act of 2003 and the Fair Credit Reporting 
Act and any amendment of or addition to such laws; except, however, this exclusion shall not apply to an 
otherwise covered Privacy Regulation Claim or to an otherwise covered Enterprise Security Claim that 
alleges an Insured’s violation of a Privacy Regulation for failure to timely disclose an incident described in 
paragraph 1. and 2. of the definition of Enterprise Security Event. 


e War 


war, invasion, hostilities or warlike operations (whether war is declared or not), strike, lock-out, riot, civil war, 
rebellion, revolution, insurrection, civil commotion assuming the proportions of or amounting to an uprising, 
military or usurped power, or the confiscation, nationalization or destruction of, or damage to, property under 
the order of government or other public authority. 


REPORTING OF CLAIMS AND EVENTS 


A. When a Claim is Made or Event Occurs 
1. A Claim will be deemed to be first made on the earlier of: 


a. the date of any Control Group Insured’s receipt of notice of such demand, request or investigation if 
such Claim is a written demand, request for information, or investigation, or 


b. the date of service upon or other receipt by a Control Group Insured of a complaint in any such 
proceeding, if such Claim is a civil proceeding, arbitration or any alternative dispute resolution 
proceeding. 


If Related Claims are subsequently made against the Insured and are reported to the Insurer, all such 
Related Claims, whenever made, will be considered a single Claim and such Claim will be deemed to have 
been made on the date the first of those Claims was made against any Insured. 


2. An Enterprise Security Event will be deemed to occur when the Enterprise Security Event becomes 
known to a Control Group Insured. 


If Related Enterprise Security Events subsequently occur, and are reported to the Insurer, all such Related 
Enterprise Security Events will be considered a single Enterprise Security Event and will be deemed to 
have occurred on the date the first of those Enterprise Security Events occurred. 


3. An Extortion Threat will be deemed to occur when the Extortion Threat becomes known to a Control 
Group Insured. 


If Related Extortion Threats subsequently occur and are reported to the Insurer, all such Related Extortion 
Threats will be considered a single Extortion Threat and will be deemed to have occurred on the date the 
first of those Extortion Threats occurred. 


B. Reporting of Claims and Events 
It is a condition precedent to coverage under this policy that: 


1. as soon as any Control Group Insured becomes aware of any Claim, the Insured must notify the Insurer in 
writing as soon as practicable, but in no event later than 30 days after the end of the Policy Period; 
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2. as soon as any Control Group Insured becomes aware of any Enterprise Security Event, the Insured 
must immediately notify the Insurer in writing, but in no event later than 30 days after the Enterprise Security 
Event occurs; and 


3. as soon as any Control Group Insured becomes aware of any Extortion Threat, the Insured must 
immediately notify the Insurer in writing but in no event later than 30 days after the Extortion Threat first 
occurs. This notice must contain known details concerning the person or entity making the Extortion Threat, 
and all reasonably obtainable information concerning the time, place and other details of the Extortion 
Threat. 


The Insured is relieved of its obligation to notify the insurer as set forth in paragraphs 1, 2 and 3 above, if and 
only for so long as a “legal prohibition” prevents such notification. As used in this paragraph, “legal prohibition” 
means the written, dated and signed opinion of a qualified attorney who is not an Insured under this policy, that 
there exists a statute, law, regulation or court order that would prohibit such notification. Such opinion must 
specify the circumstances under which notification would be permissible. Immediately upon cessation of such 
“legal prohibition” the Insured must provide the required notice. 


C. Reporting of Circumstances 
1. Solely as respects Claims-Made Liability Coverages: 


If, during the Policy Period or within 30 days after the expiration of the Policy Period, an Insured gives the 
Insurer written notice of an act, error, omission, fact or circumstance, including an Enterprise Security Event 
or purported violation of a Privacy Regulation that occurred during the Policy Period and is reasonably 
likely to give rise to a Claim with full details of: 


a. such an act, error, omission, fact or circumstance including any available information on persons or 
entities involved such act, error, omission, fact or circumstance; 


b. the nature and extent of the potential damages and the names of the potential claimants; 
c. the manner in which the Insured first became aware of such an act, error, omission, fact or circumstance, 


then any such Claim subsequently arising out of such act, error, omission, fact or circumstance will be 
deemed to have been made during the policy period in which notice was given. In order for coverage to apply 
to any such Claim, the Insured must provide notice to the Insurer of such Claim as soon as practicable, but 
no later than 30 days after such Claim is first made against the Insured. No coverage will be provided for any 
Damages, Regulatory Loss, or Claim Expenses incurred prior to the time such Claim is made unless 
otherwise authorized in writing by the Insurer. 


2. Solely as respects Crisis Management and Fraud Prevention Expense Coverages: 


If, during the Policy Period, an Insured reports any act, error, omission, fact or circumstance under the 
preceding paragraph that gives rise to an Enterprise Security Event, then the Enterprise Security Event 
subsequently arising out of such fact, circumstance, act, error or omission will be deemed to have occurred 
during the Policy Period. In order for coverage to apply to any expenses arising out of such Enterprise 
Security Event, the Insured must provide notice to the Insurer of such Enterprise Security Event as soon 
as practicable, but no later than thirty (30) days after such Enterprise Security Event first occurs. No 
coverage will be provided for any Crisis Management Expense, Fraud Response Expense, Public 
Relations Expense, or Forensic and Legal Expense incurred prior to the time the Enterprise Security 
Event occurs, unless otherwise authorized in writing by the Insurer. 
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EXTENDED REPORTING PERIODS 


No Extended Reporting Period will be construed to be a new policy and any Claim submitted during an Extended 
Reporting Period will be subject to the policy's terms and conditions, except as specifically set forth below. All Claims 
made during an Extended Reporting Period must be reported in accordance with section entitled REPORTING OF 
CLAIMS AND EVENTS. 


A. Automatic Extended Reporting Period 


If the Named Insured or the Insurer does not renew this policy, or the Insurer cancels this policy for reasons 
other than for non-payment of premium, the Insurer will grant an automatic, non-cancelable sixty (60)day 
Extended Reporting Period. This automatic Extended Reporting Period terminates sixty (60) days after the 
end of the Policy Period. The Limits of Insurance applicable to Claims made during the automatic Extended 
Reporting Period is part of and not in addition to the Limits of Insurance set forth on the Declarations. 


No automatic Extended Reporting Period is available if the Named Insured elects an Optional Extended 
Reporting Period, or if the Named Insured obtains another insurance policy that applies to such Claim within 
sixty (60)days immediately following the end of the Policy Period. 


B. Optional Extended Reporting Period 


If this policy is canceled or non-renewed, the Named Insured may elect to purchase an Optional Extended 
Reporting Period unless the Insurer cancels or non-renews the policy because any Insured failed to pay any 
amounts owed to the Insurer or any Insured failed to comply with policy provisions. 


1. The Optional Extended Reporting Periods and their respective percentages of the annual premium that the 
Named Insured must pay to purchase an Optional Extended Reporting Period are set forth on the 
Declarations. 


2. The Insurer must receive the Named Insured’s request for the Optional Extended Reporting Period by 
written notice together with the applicable premium, within forty-five (45) days after the end of the Policy 
Period. If the Insurer does not receive payment within forty-five (45) days following the effective date of 
termination or nonrenewal, the Insurer will not be required to provide any Optional Extended Reporting 
Period. Premium for the Optional Extended Reporting Period will be fully earned on the effective date 
thereof. Once in effect, the Optional Extended Reporting Period may not be canceled. 


3. A Claim reported in writing to the Insurer during the Optional Extended Reporting Period will be deemed to 
have been made on the last day of this Policy Period. 


4. No Extended Reporting Period reinstates or increases the Limits of Insurance. 


DEFINITIONS 


Whether expressed in the singular or plural, whenever appearing in bold in this policy, the following terms have the 
meanings set forth below. 


Additional Insured means a person or entity to which an Insured Entity is obligated by virtue of a written contract or 
agreement to add such person or entity to this policy as an additional insured. Such person or entity, however, is insured 
only for the vicarious liability of such person or entity because of a Claim based upon or arising from the acts or omissions 
of the Insured Entity and only to the extent of the Limits of Insurance required by such contract or agreement, subject to 
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the availability of applicable Limits of Insurance. This paragraph does not apply unless the written contract or agreement 
has been executed prior to the Enterprise Security Event or violation of a Privacy Regulation upon which the Claim is 
based. No such person or entity is insured under this policy for its liability arising out of its own acts, errors, or omissions. 


Application means each and every signed application, any attachments or supplements to such applications, other 
written materials submitted therewith or incorporated therein and any other documents, including any warranty letters or 
similar documents, submitted in connection with the underwriting of this policy or the underwriting of any other policy 
issued by the Insurer or any of its affiliates of which this policy is a renewal or replacement, or which it succeeds in time. 
All such applications, attachments and materials are deemed attached to, incorporated into and made a part of this policy. 


Bodily Injury means physical injury to the body, or sickness or disease sustained by a person, including death resulting 
therefrom. Bodily Injury includes mental injury or mental anguish, including emotional distress, shock or fright, whether or 
not resulting from injury to the body, sickness, disease or death of any person. 


Breach Preparedness Information Service means data breach risk mitigation information displayed on the AXIS PRO® 
e-Risk Hub website. 


Claim means an Enterprise Security Event Claim or Privacy Regulation Claim, as applicable. 


Claim Expenses means reasonable and necessary expenses incurred in the investigation, adjustment, negotiation, 
arbitration, mediation and defense of covered Claims, whether paid by the Insurer or by the Insured with the Insurer’s 
consent. Claim Expenses includes: 


1. attorney fees incurred by the Insurer or by the Insured with the Insurer’s consent; 


2. court costs taxed against an Insured. However, this does not include attorney’s fees or attorney’s expenses taxed 
against the Insured; 


3. the cost of appeal bonds or bonds to release attachments, but only for bond amounts within the applicable Limit of 
Insurance. The Insurer does not have to furnish these bonds; and 


4. expenses incurred by an Individual Insured at the Insurer’s request, excluding: 
a. loss of earnings; and 
b. salaries, benefits, or other compensation paid to any Insured. 


Computer System means computer hardware, software and all components thereof linked together through a network of 
devices accessible through the internet or the Insured Entity’s intranet or connected with data storage or other peripheral 
devices that are: 


1. operated by and either owned by or leased to an Insured Entity; or 
2. operated for the benefit of an Insured Entity by a third party service provider; and 
3. used for: 

a. the purpose of providing hosted application services to an Insured Entity, or 


b. for processing, maintaining, or storing electronic data, pursuant to written contract or agreement with an 
Insured Entity. 
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Consumer Redress Fund means those sums the Insured is legally obligated to deposit in a fund as an equitable remedy 
for the payment of consumer claims resulting from an adverse judgment, ruling, or settlement of a Privacy Regulation 
Claim. 


Control Group Insured means an Insured Entity’s chairperson of the board of directors, president, chief executive 
officer, chief operating officer, chief financial officer, chief technology officer, chief information officer, chief privacy officer, 
chief security officer, risk manager or in-house counsel, or their functional equivalents, and the non-administrative 
personnel of the offices thereof. 


Corporate Information means any information owned by a third party and in an Insured Entity’s care, custody, or 
control and that an Insured Entity is legally required to maintain in confidence. However, Corporate Information does 
not include Protected Personal Information and does not mean publicly available information that is lawfully in the 
public domain or information available to the general public from government records. 


Crisis Management Expense means the reasonable costs of those services described in the sub-paragraphs below 
incurred by or on behalf of an Insured Entity, in excess of the Insured Entity's normal operating costs and with the prior 
written approval of the Insurer: 


1. preparation, distribution and/or transmission of notices of the Enterprise Security Event by reasonable means 
for the purpose of advising those persons whose Protected Personal Information may have been improperly 
accessed, lost or stolen regardless of whether such notice is mandated by law or regulations, provided that such 
costs are incurred by an Insured Entity to mitigate financial, reputational or other harm in connection with an 
Enterprise Security Event that occurs or that the Insured Entity reasonably believes has occurred; 


2. call center services to answer questions from persons receiving notice in accordance with paragraph 1. above; 


3. design and implementation of a website for advising of any purported access, loss of or theft of Protected 
Personal Information. 


Provided, however, Crisis Management Expense does not mean and does not include Fraud Response Expense, 
Public Relations Expense or Forensic and Legal Expense. 


Damages means monetary judgment, award or settlement, including pre-judgment interest, and amounts that are actual, 
statutory, punitive, multiplied or exemplary, if permitted by law in an applicable jurisdiction; and attorney's fees and 
attorney’s expense included as part of a judgment, award or settlement. Damages also includes interest on any part of a 
judgment not exceeding the applicable Limits of Insurance that accrues after the entry of the judgment and before the 
Insurer has paid or tendered or deposited the applicable judgment amount in court. 


However, Damages does not include: 
1. fines or penalties, taxes, loss of tax benefits, or sanctions assessed against any Insured; 
2. costs to comply with orders granting non-monetary or injunctive relief; 


3. royalties, return or offset of royalties, fees, deposits, commissions or charges or any award, calculation or 
determination of damages based on royalties, licensing fees or profits; 


4. any amounts attributable to loss of, theft of or the fluctuation in the value of, monies or securities; 


5. disgorgement of unjust enrichment or profits; 
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6. liquidated damages to the extent such liquidated damages exceed the amount for which the Insured would have 
been liable in the absence of such liquidated damages agreement; 


7. any amounts for which the Insured is not liable or for which there is no legal recourse against the Insured; 
8. any amounts deemed uninsurable under the law pursuant to which this policy is construed; 

9. any amounts for which an Insured is liable pursuant to any Payment Card Industry Agreement; 

10. any amount incurred to test for, monitor, clean up, remove, contain, treat, detoxify, or neutralize Pollutants. 


In determining the insurability of punitive or exemplary damages, or the multiplied portion of any multiplied damage 
award, the law of the jurisdiction most favorable to the insurability of those damages will apply. If the Named Insured 
reasonably determines that punitive or exemplary damages are insurable, the Insurer will not challenge that 
determination. 


Enterprise Security Event means any of the following: 


1. accidental release unauthorized disclosure, loss, theft or misappropriation of Protected Data in the care, custody 
or control of an Insured Entity or Service Contractor; 


2. alteration, corruption, destruction, deletion or damage to data stored on the Computer System; 
3. transmitting or receiving Malicious Code via the Computer System; 


4. unauthorized access to or unauthorized use of the Computer System that directly results in denial or disruption 
of access of authorized parties; 


5. solely with respect to an Enterprise Security Event Claim, the Insured’s failure to: 
a. timely disclose an incident described in 1. and 2. above in violation of a Privacy Regulation; 
b. comply with its own written and published privacy policy, but solely with respect to provisions: 
i. prohibiting any Insured from disclosing, sharing, or selling Protected Personal Information; 


ii. requiring the Insured to provide access to and correct inaccurate or incomplete Protected Personal 
Information; and 


iii. requiring compliance with procedures to prevent the theft or loss of Protected Personal Information. 


Enterprise Security Event Claim means a written demand for monetary or non-monetary relief, or a civil proceeding, 
arbitration or any alternative dispute resolution proceeding, including any appeal therefrom, alleging an Enterprise 
Security Event. Enterprise Security Event Claim does not include a Privacy Regulation Claim. 


Extended Reporting Period means the designated period of time after the cancellation or non-renewal of the Policy 
Period for reporting Claims first made against the Insured during such designated period of time provided that the 
Enterprise Security Event Claim alleges an Enterprise Security Event that first occurred on or after the Retroactive 
Date and prior to the end of the Policy Period, or the Privacy Regulation Claim alleges a violation of a Privacy 
Regulation that first occurred on or after the Retroactive Date and prior to the end of the Policy Period. 


Extortion Loss means: 
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1. those reasonable expenses incurred by or on behalf of an Insured Entity, after obtaining the Insurers pre- 
approval, to evaluate an Extortion Threat and to certify that the threat has ended; and 


2. those funds paid by the Insured, after obtaining the Insurer’s pre-approval, to a party or parties that have made 
an Extortion Threat. 


However, Extortion Loss does not include any amounts for, arising out of or in connection with royalties, fees, 
deposits, commissions or charges for content, goods or services, Crisis Management Expense, Fraud Response 
Expense, Public Relations Expense or Forensic and Legal Expense. 


Extortion Threat means any credible threat: 


1. to commit an attack against computer hardware, software and all components thereof linked together through a 
network of devices accessible through the internet or the Insured Entity’s intranet or connected with data storage 
or other peripheral devices and operated by and either owned by or leased to an Insured Entity, or 


2. to disseminate Protected Data for which the Insured Entity is legally responsible, 


for the purpose of extorting funds from an Insured Entity. All Related Extortion Threats will be deemed one 
Extortion Threat. 


First Inception Date is the inception date of the earliest insurance policy the Insurer issued to the Named Insured that 
provides coverage similar to that afforded under this policy when there has been uninterrupted coverage by the Insurer for 
the Named Insured from that earliest policy to this policy. 


Forensic and Legal Expense means the reasonable cost of those services described in the subparagraphs below 
incurred by or on behalf of an Insured Entity in excess of the Insured Entity's normal operating costs and with the prior 
written approval of the Insurer: 


1. aSystem Investigation; 
2. services performed by a licensed legal professional retained by an Insured Entity for the purpose of: 


a. determining and advising the Insured on the applicability of notice requirements under any Privacy 
Regulation, 


b. determining and developing the form of notification to comply with applicable notice requirements under any 
Privacy Regulation. 


Provided, however, Forensic and Legal Expense does not mean and does not include Crisis Management 
Expense, Fraud Response Expense or Public Relations Expense. 


Fraud Response Expense means the reasonable cost of credit monitoring services and identity monitoring services or 
Identity Theft Insurance for a one year period to Qualified Persons incurred by or on behalf of an Insured Entity in 
excess of the Insured Entity’s normal operating costs and with the prior written approval of the Insurer for the purpose of 
mitigating financial loss resulting from disclosure of Protected Personal Information due to an Enterprise Security 
Event that occurs or that the Insured Entity reasonably believes has occurred. Provided, however, Fraud Response 
Expense does not mean and does not include Crisis Management Expense, Public Relations Expense or Forensic 
and Legal Expense. 
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Identity Theft Insurance means an insurance policy that pays benefits, for reasonable and necessary costs to restore an 
individual’s identity, including but not limited to travel costs, notary fees, and postage costs, lost wages, and legal fees and 
expenses associated with such efforts. 


Individual Insured means, individually and collectively: 
1. an Insured Entity’s stockholders but solely for their liability as stockholders; 


2. an Insured Entity’s current or former partners, officers, directors and employees, including volunteers, but only 
with respect to their activities within the scope of their duties in their capacity as such; 


3. a natural person performing services or duties within the scope of their written agreement with an Insured Entity 
and for whom the Insured Entity is legally liable, but only while acting within the scope of such person’s duties 
performed on behalf of the Insured Entity, and only at the Insured Entity’s election upon notifying the Insurer of 
a Claim; and 


4. any Additional Insured. 
Insured means, individually and collectively: 
1. an Insured Entity; and 
2. an Individual Insured. 
Insured Entity means the Named Insured and any Subsidiary. 


Malicious Code means any computer virus, Trojan horse, worm, or other code, script, or software program that is 
intentionally designed and released or inserted to access, damage, disable, or harm any part of a computer network or 
Protected Data on such network. 


Management Control means that the Named Insured, either directly or indirectly: 
1. owns more than 50% of the issued and outstanding voting equity securities; or 


2. controls voting rights representing the present right to vote for election or to appoint more than 50% of the 
directors or trustees. 


Named Insured means the entity listed as such on the Declarations of this policy. 


Payment Card Industry Agreement means rules adopted by a credit/debit card company, or credit/debit card processor 
delineating data security standards, data incident management protocols or data incident indemnity obligations. 


Policy Period means the period of time stated on the Declarations or any shorter period resulting from cancellation of this 
policy. 
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Pollutant means any solid, liquid, gaseous or thermal irritant or contaminant, including but not limited to: 
1. smoke, vapor, soot, fumes, acids, alkalis, chemicals, lead, silica, mold or asbestos; 
2. hazardous, toxic or radioactive matter or nuclear radiation; 
3. waste, which includes material to be recycled, reconditioned or reclaimed; or 
4 


any other Pollutant as defined by applicable federal, state or local statutes, regulations, rulings, ordinances, 
or amendments thereto. 


Privacy Regulation means any of the following statutes and regulations associated with the care, custody, control or use 
of personally identifiable financial, medical or other sensitive personal information: 


1. Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191); 

2. Health Information Technology for Economic and Clinical Health Act of 2009, and its related regulations; 
3. Gramm-Leach-Bliley Act of 1999; 

4. California Database Breach Act (SB1386); 

5. Minnesota Plastic Card Security Act; or 


6. other state, federal and foreign identity theft and privacy protection statutes, rules and regulations similar to 1-5 
above that require commercial entities that collect, process, or store personal information (as defined in such 
statutes, rules and regulations, as applicable) to post privacy policies, adopt specific privacy controls, or to notify 
natural persons and/or organizations in the event that such personal information has been comprised or 
potentially compromised. 


Privacy Regulation Claim means a civil proceeding, civil investigation or request for information brought against any 
Insured for an actual or alleged violation of any Privacy Regulation resulting from a covered Enterprise Security Event 
and by or on behalf of any federal, state, or local or foreign governmental agency including, but not limited to the Federal 
Trade Commission or Federal Communications Commission. Privacy Regulation Claim does not include an Enterprise 
Security Event Claim. 


Property Damage means physical injury to tangible property and any resulting loss or corruption of data or information, 
including all resulting loss of use of that property, data or information. Property Damage does not mean the loss, 
corruption or destruction of data or information when the tangible property on which the data or information resides or 
resided is not physically injured. 


Protected Data means Protected Personal Information and Corporate Information. 


Protected Personal Information means, with respect to natural persons, any private, non-public information of any kind 
in an Insured Entity’s care, custody, or control, regardless of the nature or form of such information, including but not 
limited to the following, but only if such information allows an individual to be uniquely identified: 


1. social security number; 
2. medical service or healthcare data; 
3. driver's license or state identification number; 


4. equivalents of any of the information listed in 1. — 3. above; 
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5. account, credit card, or debit card number, alone or in combination with any information that permits access to an 
individual’s financial information, including, but not limit to, security or access code or password; and 


6. other-non-public information to the extent prescribed under Privacy Regulations. 


However, Protected Personal Information does not mean Corporate Data and does not mean publicly available 
information that is lawfully in the public domain or information available to the general public from government records. 


Public Relations Expense means the reasonable costs of those services described in the subparagraphs below, 
incurred by or on behalf of an Insured Entity in excess of the Insured Entity's normal operating costs and with the prior 
written approval of the Insurer, in response to an Enterprise Security Event that occurs or that the Insured Entity 
reasonably believes has occurred: 


1. hiring a public relations firm, law firm or crisis management firm for advertising or other communications services, 
including training a spokesperson, providing talking points for media interaction, developing frequently asked 
questions responses, drafting or editing press releases, preparing of internal memos and website content; 


2. placing advertisements, preparing website content, and other communications as recommended by such public 
relations firm, law firm or a crisis management firm to explain the nature of the event and any corrective actions 
taken; 


Provided, however, Public Relations Expense does not mean and does not include Crisis Management Expense, 
Fraud Response Expense or Forensic and Legal Expense. 


Qualified Persons means those natural living persons described in 1. or 2. below who are entitled to notification pursuant 
to paragraph 1. of the definition of Crisis Management Expense, if such person elects to receive credit monitoring 
services or identity monitoring services or Identity Theft Insurance within 180 days of receipt of such notification by the 
Insured: 


1. as respects credit monitoring services and Identity Theft Insurance, a person whose social security number, 
driver’s license number, government issued identification number, or financial account, credit card, or debit card 
number has been improperly accessed, lost or stolen in addition to such person’s name; and 


2. as respects identity monitoring services and Identity Theft Insurance, a person whose medical service or 
healthcare information has been improperly accessed, lost or stolen in addition to such person’s name. 


Regulatory Loss means fines and penalties which the Insured becomes legally obligated to pay as a result of a Privacy 
Regulation Claim when permitted by applicable law. Regulatory Loss also includes sums paid to a Consumer Redress 
Fund. 


Related Claims mean any Related Enterprise Security Event Claim or a Related Privacy Regulation Claim. 


Related Enterprise Security Event means all Enterprise Security Events that have as a common nexus any fact, 
circumstance, situation, event, transaction, cause or series of causally or logically connected facts, circumstances, 
situations, events, transactions or causes. 


Related Enterprise Security Event Claim means all Enterprise Security Event Claims arising out of a single 
Enterprise Security Event or Related Enterprise Security Events. 


Related Extortion Threats means all Extortion Threats that have as a common nexus any fact, circumstance, situation, 
event, transaction, cause or series of causally or logically connected facts, circumstances, situations, events, transactions 
or causes. 


PVSR-101 (08-16) Page 17 of 22 


AXIS PRO® PRIVASURE™ INSURANCE POLICY 


Related Privacy Regulation Claims means all Privacy Regulation Claims arising out of a single violation of a Privacy 
Regulation or arising out of Related Violations. 


Related Violation means all violations of a Privacy Regulation that have as a common nexus any fact, circumstance, 
situation, event, transaction, cause or series of causally or logically connected facts, circumstances, situations, events, 
transactions or causes. 


Retroactive Date means the date stated as such on the Declarations. If no date is stated, the Retroactive Date will be 
the First Inception Date of this policy. 


Service Contractor means any organization to which the Insured Entity has given care, custody or control of, or access 
to, Protected Personal Information pursuant to a written contract or agreement with the Insured Entity, but only while 
acting within the scope of its duties performed on behalf of the Insured Entity. 


Subsidiary means any entity in which, and so long as, the Named Insured has Management Control: 
1. as of the effective date of this policy, or 


2. after the effective date of this policy by reason of being created or acquired by an Insured Entity, after such date, 
if and to the extent coverage with respect to such entity is afforded pursuant to the paragraph entitled New and 
Former Entities in the GENERAL CONDITIONS. 


System Investigation means an investigation of the Computer System to determine the cause of an Enterprise 
Security Event that occurs or that the Insured Entity reasonably believes has occurred, and to identify and enroll or 
catalog the persons’ names, addresses and Protected Personal Information that may have been improperly, accessed, 
lost or stolen for the purposes of providing notification that may be required. 


GENERAL CONDITIONS 


Action Against the Insurer 


No action will lie against the Insurer unless, as a condition precedent thereto, there has been full compliance with all 
of the terms of this policy by all Insureds, nor until the amount of the Insured's obligation to pay will have been fully 
determined either by judgment or award against the Insured after trial or arbitration or by written agreement among 
the Insureds, the claimant and the Insurer. 


No person or organization will have any right under this policy to join the Insurer as a party to any action against the 
Insured to determine the Insured's liability, nor will the Insurer be impleaded by the Insured or the Insured’s legal 
representative. 


Assignment 


Assignment of any right or interest under this policy will not bind the Insurer unless and until its written consent is 
endorsed hereon. 


Assistance and Cooperation 


All Insureds will cooperate with the Insurer in the handling of the Claim, Enterprise Security Event or Extortion 
Threat and upon the Insurer’s request will: 
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1. furnish the Insurer with copies of demands, reports, investigations, pleadings and all related papers and such 
other information, assistance and cooperation as the Insurer may reasonably request; 


2. attend hearings, depositions, conferences, and trials, assist in effecting settlements, assist in securing and giving 
evidence, obtain the attendance of witnesses; and assist in any other aspect of the investigation and defense. 


An Insured will do nothing that in any way increases the Insurer’s exposure under this policy or in any way prejudices 
the Insurer’s potential or actual rights of recovery. No Insured will, except at the Insured’s own cost, voluntarily make 
a payment, admit liability, assume any obligation or incur any expense without the Insurer’s prior written consent 
unless otherwise specifically permitted. However, the Insured’s compliance with any Privacy Regulation will not be 
considered an admission of liability. 


Failure to cooperate with the Insurer in the defense of a Claim or in the investigation of a Claim, Enterprise Security 
Event or Extortion Threat is a breach of this policy and will result in loss of coverage. 


With respect to all First Party Coverages, the Insured’s duty to cooperate includes, but is not limited to with respect to 
an Extortion Threat, using best efforts to keep the existence of Computer System Extortion Coverage confidential. 
The Insured’s disclosure of the existence of Computer System Extortion Coverage to the public constitutes a 
failure of a condition precedent to coverage and will operate to defeat coverage for Extortion Loss under this policy. 


e Authorization 


The Named Insured is responsible for assurance of payment of all premiums and retentions. The Named Insured 
will have exclusive authority to act on behalf of all other Insureds with respect to providing and receiving notices of 
cancellation or nonrenewal, receiving any return premium, and purchasing any Optional Extended Reporting Period. 
In the event of a disagreement between any Insureds, the Named Insured will have exclusive authority to act on 
behalf of all other Insureds with respect to negotiation of settlements and the decision to appeal or not to appeal any 
judgment. 


e Bankruptcy 


The bankruptcy or insolvency of any Insured will not relieve the Insurer of the Insurer’s obligation under this 
insurance. 


e Cancellation and Nonrenewal 
1. Cancellation 


a. The Named Insured may cancel this policy by mailing or delivering written notice of cancellation to the 
Insurer at the address stated on the Declarations. Such notice of cancellation will state the effective date of 
cancellation or, if no effective date is stated, the effective date of cancellation will be thirty (30) days after the 
Insurer's receipt of notice. The Policy Period will end on that date. 


b. The Insurer may cancel this policy by mailing or delivering to the Named Insured written notice of 
cancellation at least: 


i. ten (10) days before the effective date of cancellation if the Insurer cancels for nonpayment of premium; 
or 


ii. thirty (30) days before the effective date of cancellation if the Insurer cancels for any other reason. 
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The Insurer will mail or deliver the notice to the Named Insured at the address stated on the Declarations. If 
notice of cancellation is mailed, proof of mailing will be sufficient proof of notice. Delivery of the notice will be 
the same as mailing. 


c. If this policy is canceled, the Insurer will send the Named Insured any premium refund due. If the Insurer 
cancels, the refund will be the pro rata unearned amount of the annual premium. If the Named Insured 
cancels, the refund, if any, will be the pro rata unearned amount of the annual premium calculated at the 
customary short rate. Return of premium to the Named Insured is not a condition precedent to cancellation. 


2. Nonrenewal 


The Insurer may elect not to renew this policy by mailing or delivering written notice of nonrenewal to the Named 
Insured at its address stated in on the Declarations. 


If notice of nonrenewal is mailed, proof of mailing will be sufficient proof of notice. Delivery of the notice will be the 
same as mailing. 


e Changes to the Policy 


Notice or knowledge possessed by any person will not effect a waiver or a change in any part of this policy or estop 
the Insurer from asserting any rights under the terms of this policy, nor will the terms of this policy be waived or 
changed except by written endorsement issued to form a part of this policy. 


e Legal Representatives, Spouses and Domestic Partners 


The legal representatives, estate, heirs, spouse and any domestic partner of any Individual Insured will be 
considered to be an Insured under this policy, but only for a Claim against such person arising solely out of their 
status as such and, with respect to a spouse or domestic partner, only where such Claim seeks amounts from marital 
community, jointly held property or property transferred from such insured to such spouse or domestic partner. No 
coverage is provided for any act, error or omission committed by any legal representative, estate, heir, spouse or 
domestic partner. 


e Merger or Acquisition 
If during the Policy Period any of the following events occurs: 


1. the merger or consolidation of the Named Insured into or with another entity such that the Named Insured is not 
the surviving entity; 


2. the acquisition by any person, entity, or group of persons or entities of: 
a. majority voting control of the Named Insured; or 
b. all or substantially all of the assets of the Named Insured; or 


c. the appointment by any state or federal official, agency or court, of any receiver, conservator, liquidator, 
trustee, rehabilitator, or similar official to take control of, supervise, manage or liquidate the Named Insured; 


then coverage will continue under this policy until terminated, but only with respect to Enterprise Security Events, 
Extortion Threats or violations of Privacy Regulations that occurred prior to such merger, consolidation, acquisition, 
or appointment. Coverage under this policy will cease as of the effective date of such merger, consolidation, 
acquisition, or appointment with respect to Enterprise Security Events, Extortion Threats or violations of Privacy 
Regulations first occurring after such event. 

PVSR-101 (08-16) Page 20 of 22 


AXIS PRO® PRIVASURE™ INSURANCE POLICY 


e New and Former Entities 


1. If during the Policy Period, the Named Insured obtains Management Control of any entity, then this policy will 
provide coverage for such newly created or acquired entity and its subsidiaries, directors, officers, or employees 
who would otherwise become an Insured pursuant to the terms and conditions of this policy. However, if any 
such newly acquired or created entity's gross revenues exceed fifteen percent (15%) of the Insured Entity 
combined annual gross revenues at the effective date of this policy, such entity will only be deemed a Subsidiary 
under this policy for a period of ninety (90) days following such acquisition or creation. If the Named Insured 
seeks coverage for such entity beyond ninety (90) days, it must give written notice within ninety (90) days of such 
creation or acquisition and it must provide any necessary underwriting information and pay any additional 
premium as the Insurer may require. Coverage will continue beyond such ninety (90) day period only if the 
Insurer, in its sole discretion, agrees to provide coverage to such entity and its subsidiaries, directors, officers or 
employee as evidenced in an endorsement to this policy. 


2. Inall events, there is no coverage under this policy: 


a. for any Enterprise Security Event with respect to any Subsidiary, any violation of a Privacy Regulation by 
or on behalf of any Subsidiary, or Extortion Threat made against any Subsidiary, whether such Subsidiary 
qualified as such prior to the inception date of this policy or after the inception date of this policy by virtue of 
paragraph a. above, or for Individual Insureds of any such Subsidiary, where such Enterprise Security 
Event or Extortion Threat or violation of a Privacy Regulation, occurred in whole or in part before the date 
such entity became a Subsidiary, or occurred in whole after such time the entity ceases to be a Subsidiary; 


b. for any Enterprise Security Event or Extortion Threat occurring on or after the date such entity became a 
Subsidiary, which together with any Enterprise Security Event or Extortion Threat described in i. above 
would be considered Related Enterprise Security Events or Related Extortion Threats; 


c for any violation of a Privacy Regulation occurring on or after the date such entity became a Subsidiary, 
which is logically or causally connected by any fact, circumstance, situation, event, or transaction to a 
violation of a Privacy Regulation that occurred prior to the date such Subsidiary became a Subsidiary. 


e Notices 


Except as otherwise provided in this policy, all notices under any provision of this policy must be in writing and 
delivered as follows: 


Notices to the Insureds will be delivered by prepaid express courier or certified mail to the Named Insured at its 
address as stated on the Declarations. Such notices are deemed to be received and effective upon actual receipt by 
the addressee or one day following the date such notices are sent, whichever is earlier. 


Notices to the Insurer will be delivered by prepaid express courier or certified mail, facsimile, or electronic mail to the 
appropriate party at the street address, fax number, or email address, as applicable, set forth on the Declarations. 


e Other Insurance 


If there is any other valid and collectible insurance available to the Insured that applies to any Coverage under this 
policy, this insurance is excess over such other insurance, except when the other insurance is specifically designed to 
apply in excess of this insurance, and no other insurance applies to the Claim, Enterprise Security Event or 
Extortion Threat. 


e Premium 
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The Named Insured will pay to the Insurer the amount of premium stated on the Declarations. The premium may be 
adjusted at any time during the Policy Period or any extensions of the Policy Period based upon changes in the 
provisions of this policy, as may be agreed upon by the Named Insured and the Insurer. 


e Representations and Severability 


The Insurer has relied on the statements made and information in the Application and the accuracy and 
completeness of such statements and information. Such statements and information are the basis for the Insurer’s 
issuance of this policy, are incorporated into and constitute a part of this policy, and such statements and information 
have induced the Insurer to issue this policy. 


If the Application contains any misrepresentation or any inaccurate or incomplete information or statement, and such 
misrepresentation or inaccurate or incomplete information or statement either was made with the intent to deceive, or 
materially affected either the acceptance of the risk or the hazard assumed by the Insurer under this policy, then no 
coverage will be provided under this policy for any Claims based upon or arising out of the facts that were the subject 
of such misrepresentation or inaccurate or incomplete information or statement, nor for any Enterprise Security 
Events or Extortion Threats arising out of or in connection with the facts that were the subject of such 
misrepresentation or inaccurate or incomplete information or statement, with respect to: 


1. any Individual Insured who knew, as of the date the Application was signed, of the facts that were the subject 
of the misrepresentation or inaccurate or incomplete information or statement, whether or not such Individual 
Insured knew the Application contained the misrepresentation or inaccurate or incomplete information or 
statement; or 


2. any Insured Entity, if any Control Group Insured of such Insured entity knew, as of the date the Application 
was signed, of the facts that were the subject of the misrepresentation or inaccurate or incomplete information or 
statement, whether or not such Control Group Insured knew the Application contained the misrepresentation 
or inaccurate or incomplete information or statement. 


For purposes of applying this condition, the knowledge of an Insured Entity or an Individual Insured will not be 
imputed to any other Individual Insured. 


e Subrogation and Recovery 


In the event of any payment under this policy, the Insurer will be subrogated to all the Insured's rights of recovery 
therefore against any person or organization, and the Insured will execute and deliver instruments and papers and do 
whatever else is necessary to secure such rights. The Insured will do nothing to prejudice such rights. The Insurer will 
have no rights of subrogation against any Insured hereunder. 


e Territory, Valuation and Currency 


Coverage under this policy applies to Claims made, or Enterprise Security Events, violations of Privacy 
Regulations and Extortion Threats taking place in any jurisdiction in the world, where legally permissible. If any 
amounts covered by this policy are paid in a currency other than the official currency of the country where this policy 
was issued (“Official Policy Currency”), then the payment will be considered to have been made in the Official Policy 
Currency at the conversion rate published in the Wall Street Journal at the time of the payment. 


SIGNATURE PAGE FOLLOWS. 
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IN WITNESS WHEREOF, the Insurer has caused this policy to be issued by affixing hereto the facsimile signatures of its 
President and Secretary. 


E AI j 
JA 
< ter -Vog 
/ 
J J 


President Andrew Weissert, Secretary 
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Endorsement No. Effective Date of Endorsement Policy Number Premium 


12:01 a.m. on 


If the above date is blank, then this endorsement 
is effective on the effective date of the Policy. 


PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS) COVERAGE ENDORSEMENT 


SCHEDULE OF COVERAGE 


Limits of Insurance 


Each PCI-DSS Claim Limit of Insurance See Declarations Page 
Retention 

Aggregate PCI-DSS Fines Claim Retention See Declarations Page 

PCI-DSS Fines Claim Retroactive Date See Declarations Page 


It is agreed that: 


Solely with respect to a PCI-DSS Fines Claim, the definition of Damages in the section entitled DEFINITIONS is 
amended as follows: 


Notwithstanding anything to the contrary in this definition of Damages, Damages also includes PCI-DSS Fines. Itis 
a condition precedent to coverage for such PCI-DSS Fines that the Named Insured must have accurately validated, 
not more than twelve (12) months prior to the occurrence of the Enterprise Security Event giving rise to the Claim, 
to the applicable credit/debit card company that it was in compliance with the Payment Card Industry Agreement’s 
data security standards. 


Solely with respect to a PCI-DSS Fines Claim, the definition of Retroactive Date in the section entitled 
DEFINITIONS is amended to add the following: 


Solely as respects coverage for PCI-DSS Fines Claims, the Retroactive Date shall mean the date specified as the 
PCI-DSS Fines Claim Retroactive Date in the SCHEDULE OF COVERAGE of this endorsement, if any. If no PCI- 
DSS Fines Claim Retroactive Date is stated in the SCHEDULE OF COVERAGE, the Retroactive Date for PCI-DSS 
Fines Claims shall be the Retroactive Date stated on the Declarations or the First Inception Date of this policy, as 
applicable under the terms of this policy. 


The section entitled DEFINITIONS is amended to add the following new definitions: 


PCI-DSS Fines means amounts owed by the Insured Entity under the terms of a Payment Card Industry 
Agreement, but only if such amounts are imposed as indemnity obligations on the Named Insured due to its actual 
or alleged non-compliance with the data security standards set forth in such Payment Card Industry Agreement, 
and only if such PCI-DSS Fines arise out of a covered Enterprise Security Event. PCI-DSS Fines do not include 
any charge backs, interchange fees, discount fees or service fees. 


PCI-DSS Fines Claim means an Enterprise Security Event Claim brought by a credit/debit card company or 
credit/debit card processor seeking PCI-DSS Fines. 


The section entitled LIMITS OF INSURANCE, RETENTION AND REIMBURSEMENT is amended to add the 
following: 
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PCI-DSS Fines Claims — Limits of Insurance and Retention 


The Each PCI-DSS Fines Claim Limit of Insurance as specified in the above SCHEDULE OF COVERAGE is the 
most the Insurer will pay for covered Damages and Claim Expenses for each PCI-DSS Fines Claim in excess of the 
applicable retention. 


The Each PCI-DSS Fines Claim Limit of Insurance is part of and not in addition to the Each Claim and Policy Limit of 
Insurance stated in the Declarations, and constitutes the total limits of insurance available under this policy for PCI- 
DSS Fines Claims. 


The Aggregate PCI-DSS Fines Claim Retention specified in the above SCHEDULE OF COVERAGE is the most the 
Insured will be required to pay under the policy for all PCI-DSS Fines Claims. This Aggregate PCI-DSS Fines 
Claims Retention is in addition to and not part of the Each Claim Retention stated on the Declarations. 


All other provisions of the policy remain unchanged. 
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Endorsement No. Effective Date of Endorsement Policy Number Additional Premium 


12:01 a.m. on 


If the above date is blank, then this endorsement is N/A 
effective on the effective date of the policy. 


RANSOMWARE LOSS COVERAGE ENDORSEMENT 
SCHEDULE OF COVERAGE 


Ransomware Loss Limit of Insurance See Declarations Page 
Ransomware Loss Retention See Declarations Page 


Information in the above schedule also may appear on the Declarations. 


It is agreed that: 

1. The definitions of Extortion Loss and Extortion Threat are amended as follows: 
Extortion Loss also includes Ransomware Loss. 
Extortion Threat also includes a Ransomware Attack. 

2. The following new definitions are added: 


Ransomware Attack means the insertion of malware by a third party perpetrator on computer hardware, software or 
components thereof linked together through a network of devices accessible through the internet or the Named 
Insured’s intranet or connected with data storage or other peripheral devices and operated by and either owned by or 
leased to an Named Insured that prevents or limits an Insured’s ability to access data thereon for the purpose of 
obtaining a ransom from the Insured to end or remove the attack. 


Ransomware Loss means those funds paid by the Named Insured to the perpetrators of the Ransomware Attack to 
end the attack, with the Insurer’s prior approval. 


3. The Section entitled LIMITS OF INSURANCE, RETENTION AND REIMBURSEMENT is amended to add the following: 
Each Ransomware Loss Limit of Insurance 


Subject to the Policy Limit of Insurance and to the Aggregate First Party Coverages Limit of Insurance, the most the 
Insurer will pay for Ransomware Loss is the amount stated in the above SCHEDULE OF COVERAGE, which shall 
be part of, and not in addition to, the Extortion Loss Limit of Insurance. 


Aggregate First Party Coverages Retention 


The Aggregate First Party Coverages Retention set forth on the Declarations, if any, is the most the Insured will be 
required to pay under the policy for any first party coverage . 


Subject to the First Party Coverages Retention, the Ransomware Loss Retention set forth in the above 
SCHEDULE OF COVERAGE, if any, is the most the Insured will be required to pay under the policy for such 
covered Ransomware Loss, regardless of the number of Ransomware Attacks. The Ransomware Loss 
Retention is part of and reduces the highest applicable each Claim retention. 


4. Itis a condition precedent to the coverage provided by this endorsement that Computer System Extortion coverage has 
also been purchased, and that the coverage was added by endorsement to this policy. 


All other provisions of the policy remain unchanged. 
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Endorsement No. Effective Date of Endorsement Policy Number Additional Premium 


12:01 a.m. on 


If the above date is blank, then this endorsement is N/A 
effective on the effective date of the policy. 


SOCIAL ENGINEERING FRAUD COVERAGE ENDORSEMENT 


SCHEDULE OF COVERAGE 


Social Engineering Fraud Loss Limit of Insurance See Declarations Page 


Social Engineering Fraud Loss Retention See Declarations Page 


Information in the above schedule also may appear on the Declarations. 

It is agreed that: 

|. The following FIRST PARTY COVERAGE is added to the policy: 
Social Engineering Fraud Coverage 


The Insurer will pay the Insured Entity for Social Engineering Fraud Loss resulting directly from a Social 
Engineering Fraud Event, in excess of the applicable retention and within the applicable Limits of Insurance. 


It is a condition precedent to coverage under the Social Engineering Fraud Coverage that the Insured 
attempted to Authenticate the Fraudulent Instruction prior to transferring any Money or Securities. 


ll. Solely with respect to the coverage provided by this endorsement, the section of the policy entitled LIMITS OF 
INSURANCE, RETENTION AND REIMBURSEMENT is amended to add the following: 


Multiple Insureds, Claims, Claimants 


The Limits of Insurance will not exceed the amounts stated respectively on the Declarations no matter how many 
Insureds are covered, Claims or Extortion Threats are made against the Insureds, or violations of Privacy 
Regulations, Enterprise Security Events or Social Engineering Fraud Events occur. 


Each Expense/Extortion Loss/Social Engineering Fraud Loss Limit of Insurance 


Subject to the Policy Limit of Insurance and to the Aggregate First Party Coverages Limit of Insurance, if any, the 
Social Engineering Fraud Loss Limit of Insurance set forth in the SCHEDULE OF COVERAGES is the most the 
Insurer will pay for each Social Engineering Fraud Loss. 


Aggregate First Party Coverages Retention 


The Aggregate First Party Coverages Retention set forth on the Declarations, if any, is the most the Insured will 
be required to pay under the policy for any first party coverage . 


Subject to the Aggregate First Party Coverages Retention, the applicable Social Engineering Fraud Loss 
Retention set forth on the SCHEDULE OF COVERAGES, is the most the Insured will be required to pay under 
the policy for such Social Engineering Fraud Events. 


The Social Engineering Fraud Loss Retention set forth on the SCHEDULE OF COVERAGES is part of and 
reduces the highest applicable each Claim retention. 


IV. The section of the policy entitled EXCLUSIONS is amended by the addition of the following new subsection: 
Exclusions Applicable to Social Engineering Fraud Coverage 
This policy does not provide coverage for Claims based upon or arising out of: 
e Acts of Owners 


loss resulting from any fraudulent, dishonest, or criminal act by any Owner of the Insured Entity, whether acting 
alone or in collusion with others. 
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VI. 


e Advantage 
loss of one Insured to the gain of another Insured. 
e Disputed Payments 


loss of Money or Securities transferred to or for the benefit of a Vendor where there is a dispute between the 
Insured and such Vendor with respect to goods provided or services performed by such Vendor. 


e Employees 
loss resulting from any fraudulent, dishonest or criminal act by any employee of the Insured Entity. 
e Intellectual Property and Confidential Information 


1. loss of or loss resulting from theft, disappearance, destruction, release, or disclosure of, or access to, any 
trade secrets, intangible property or intellectual property; or 


2. loss of or loss resulting from theft, disappearance, destruction, release, or disclosure of, or access to, any 
confidential information of any kind, including any password, or any non-public, personal, or personally 
identifiable information. 


e Indirect or Consequential Loss 


indirect or consequential loss of any kind, including, but not limited to: income, earnings or profit not realized as 
the result of a covered loss; fees, costs or other expenses to establish the existence or amount of covered loss; 
fees, costs or other expenses of any party; or fees, costs or other expenses incurred by the Insured Entity in 
defending or prosecuting any legal proceeding or claim. 


Solely with respect to the coverage provided by this endorsement, the section of the Policy entitled REPORTING OF 
CLAIMS AND EVENTS is amended as follows: 


A. The subsection entitled When a Claim is Made or Event Occurs is amended by the addition of the following: 


A Social Engineering Fraud Event will be deemed to occur when the Social Engineering Fraud Event 
becomes known to a Control Group Insured. 


If Related Social Engineering Fraud Events subsequently occur, and are reported to the Insurer, all such 
Related Social Engineering Fraud Events will be considered a single Social Engineering Fraud Event and 
will be deemed to have occurred on the date the first of those Social Engineering Fraud Events occurred. 


B. The subsection entitled Reporting of Claims and Events, paragraph 2. only, is deleted in its entirety and 
replaced by the following: 


2. as soon as any Control Group Insured becomes aware of any Enterprise Security Event or Social 
Engineering Fraud Event, the Insured must immediately notify the Insurer in writing, but in no event later 
than 30 days after the Enterprise Security Event or Social Engineering Fraud Event occurs; and 


Solely with respect to the coverage provided by this endorsement, the section of the Policy entitled DEFINITIONS is 
amended by the addition of the following new definitions: 


Authenticate means to apply a method of challenge and response to the requestor of a Transfer Instruction. 


Client means any person or entity with whom the Insured Entity has agreed, in writing, to provide goods or services 
in exchange for a fee. 


Money means currency, coins or bank notes in current use and having a face value; or travelers’ checks, register 
checks and money orders held for sale to the public. 


Owner means any person that is an officer or executive of any corporation, has an interest in any limited liability 
company or is a partner of any partnership. 


Property means tangible property, other than Money or Securities. 


Related Social Engineering Fraud Event means all Social Engineering Fraud Events that have as a common 
nexus any fact, circumstance, situation, event, transaction, cause or series of causally or logically connected facts, 
circumstances, situations, events, transactions or causes. 


Securities means negotiable and non-negotiable instruments or contracts representing either Money or Property. 
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Social Engineering Fraud Event means the transfer of the Insured Entity’s Money or Securities to a person, place 
or account beyond the Insured Entity’s control by an employee of the Insured Entity acting in good faith reliance 
upon a verbal, written or electronic instruction that purported to be a legitimate Transfer Instruction but, in fact, was 
fraudulent. 


Social Engineering Fraud Loss means loss of Money or Securities transferred by the Insured Entity in a Social 
Engineering Fraud Event. 


Transfer Instruction means a verbal, written or electronic instruction purportedly from a Client, Vendor or employee 
of the Insured Entity to transfer Money or Securities. 


Vendor means any person or entity that provides goods or services to the Insured Entity pursuant to a written 
contract. 


All other provisions of the policy remain unchanged. 
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Endorsement No. Effective Date of Endorsement Policy Number Additional Premium 


12:01 a.m. on 


If the above date is blank, then this endorsement is N/A 
effective on the effective date of the policy. 


TELECOMMUNICATIONS THEFT LOSS COVERAGE ENDORSEMENT 


SCHEDULE OF COVERAGE 


Telecommunications Theft Loss Limit of Insurance See Declarations Page 


Telecommunications Theft Loss Aggregate Retention See Declarations Page 


Information in the above schedule also may appear on the Declarations. 


It is agreed that: 


1. 


The section of the policy entitled CLAIMS MADE LIABILITY COVERAGES is amended to add the following new 
coverage: 


Telecommunications Theft Loss Coverage 


The Insurer will pay the Insured for Telecommunications Theft Loss incurred because of a Telecommunications 
Theft Event, in excess of the applicable retention and within the applicable limits shown in the SCHEDULE OF 
COVERAGE. 


2. The secton of the policy entitled LIMITS OF INSURANCE, RETENTION AND REIMBURSEMENT is amended to add 


the following:: 
Telecommunications Theft Loss Limit of Insurance 


Subject to the Policy Limit of Insurance and to the Aggregate First Party Coverages Limit of Insurance, if any, the 
Telecommunications Theft Loss Limit of Insurance set forth in the above schedule is the most the Insurer will pay 
for each Telecommunications Theft Loss. 


Aggregate First Party Coverages Retention 


The Aggregate First Party Coverages Retention set forth on the Declarations, if any, is the most the Insured will be 
required to pay under the policy for any first party coverage . 


Subject to the Aggregate First Party Coverages Retention, the applicable Telecommunications Theft Loss 
Retention set forth on the SCHEDULE OF COVERAGES, is the most the Insured will be required to pay under the 
policy for such Telecommunications Theft Loss. 


The Telecommunications Theft Loss Retention set forth on the SCHEDULE OF COVERAGES, is part of and 
reduces the highest applicable each Claim retention 


The section of the policy entitled EXCLUSIONS is amended to add the following: 
Additional Exclusions Applicable to Telecommunications Theft Loss Coverage 
This policy does not provide coverage for any amounts: 


e based upon or arising out of indirect or consequential loss of any kind, including, but not limited to: income, 
earnings or profit not realized as the result of a covered loss; fees, costs or other expenses to establish the 
existence or amount of covered loss; fees, costs or other expenses of any party; or fees, costs or other expenses 
incurred by the Insured in defending or prosecuting any legal proceeding or claim. 


e based upon or arising out of a Telecommunications Theft Event committed by, on behalf of or for the benefit of: 
1. any Insured; 


2. any entity that is a parent of the Named Insured, joint venturer or co-venturer of any Insured, or other entity 
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in which any Insured is a partner, and any entity directly or indirectly controlled, operated or managed by 
such parent, joint venture, co-venturer or partner. 


4. Solely with respect to the coverage provided by this endorsement, the following provision is added to the policy: 
REPORTING OF TELECOMMUNICATIONS EVENTS 
A. When an Event Occurs 


A Telecommunications Theft Event will be deemed to occur when an Insured first knows that a 
Telecommunications Theft Event has occurred, or has a reasonable basis to know that a 
Telecommunications Theft Event has occurred, including the receipt of any notice, invoice, or billing 
evidencing unauthorized use of Telecommunications Services. 


If Related Telecommunications Theft Events subsequently occur, and are reported to the Insurer, all such 
Related Telecommunications Theft Events will be considered a single Telecommunications Theft Event 
and will be deemed to have occurred on the date the first of those Telecommunications Theft Events 
occurred. 


B. Reporting of Events 


As soon as a Telecommunications Theft Event first occurs, the Insured must immediately notify the Insurer 
in writing, but in no event later than 30 days after the Telecommunications Theft Event occurs. 


5. The section of the Policy entitled DEFINITIONS is amended by the addition of the following new definitions: 


Related Telecommunications Theft Events means all Telecommunications Theft Events that have as a common 
nexus any fact, circumstance, situation, event, transaction, cause or series of causally or logically connected facts, 
circumstances, situations, events, transactions or causes. 


Telecommunications Services means telephone, fax, or data transmission services provided to the Insured by 
others for compensation. 


Telecommunications Theft Event means a third party’s intentional, unauthorized and fraudulent use of the 
Insured’s Telecommunications Services. 


Telecommunications Theft Loss means telephone service charges and fees incurred by the Insured because of a 
Telecommunications Theft Event, in excess of the Insured’s normal operating costs. 


All other provisions of the policy remain unchanged. 
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Endorsement ; ; ; 
Number Effective Date of Endorsement Policy Number Premium 
«eNo» 12:01 a.m. on «eEff» «ePol» «ePrem» 


APPLICATION RELIANCE ENDORSEMENT 


It is agreed that this policy shall be deemed to include any materials and application forms submitted by or on behalf of 
the Insured to another insurance carrier, if subsequently also submitted to the Insurer in connection with the underwriting 
of this policy. Representations contained in such materials and applications shall be deemed to be made directly to the 
Insurer with the intent that the Insurer rely upon the accuracy and completeness of such information in its decision to 


issue this policy. 


All other provisions of the policy remain unchanged. 
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Endorsement No. Effective Date of Endorsement Policy Number Premium 


12:01 a.m. on 


If the above date is blank, then this endorsement | See Declarations Page 
is effective on the effective date of the Policy. 


CANCELLATION AND NONRENEWAL ENDORSEMENT - MICHIGAN 


It is agreed that: 


Except as specifically set forth herein, any Cancellation or Nonrenewal provision in this policy is replaced by the following. 
If the policy does not contain a Cancellation and/or Nonrenewal provision, the following is added to the policy: 


1. Cancellation 


a. 


g. 


The first Named Insured shown in the Declarations may cancel this policy by mailing or delivering to us or our 
authorized agent advance notice of cancellation. Such advance notice of cancellation should be mailed or 
delivered to the address indicated in the Declarations under the item entitled Notices to Insurer. 


We may cancel this policy by mailing or delivering to the first Named Insured written notice of cancellation at 
least: 


(1) 10 days before the effective date of cancellation, if we cancel for non-payment of premium; or 
(2) 90 days before the effective date of cancellation, if we cancel for any other reason. 


Notwithstanding the above provisions, with respect to property policies, we may cancel this policy by mailing or 
delivering to the first Named Insured written notice of cancellation at least: 


(1) 10 days before the effective date of cancellation, if we cancel for non-payment of premium or any evidence of 
incendiarism or fraud by owner or occupant; or 


(2) 30 days before the effective date of cancellation, if we cancel for any other reason 


We will mail or deliver our notice to the first Named Insured's last mailing address known to us or our authorized 
agent. 


Notice of cancellation will state the effective date of cancellation and will be effective for all Insureds. All coverage 
will end on the effective date of cancellation. 


If this policy is cancelled, we will send the first Named Insured any pro rata premium refund due. The minimum 
earned premium shall not be less than the pro rata premium for the expired time or $25.00, whichever is greater. 
The cancellation will be effective even if we have not made or offered a refund. 


If notice of cancellation is mailed, proof of mailing shall be considered sufficient proof of notice. 


2. Nonrenewal 


a. 


If we decide not to renew this policy, we will mail or deliver to the first Named Insured's last mailing address 
known to us or our authorized agent written notice of the nonrenewal not less than 30 days before the expiration 
date. 
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b. If we offer to renew or continue and you do not accept, this policy will terminate at the end of the current policy 
period. Failure to pay the required renewal or continuation premium when due shall mean that you have not 
accepted our offer. 


c. If we fail to mail or deliver proper notice of nonrenewal and you obtain other insurance this policy will end on the 
effective date of that insurance. 


d. If notice is mailed, proof of mailing is sufficient proof of notice. 
As used herein, “us” and “we” refers to the insurance company named on the Declarations. 


As used herein, “you”, “your” or “named insured” refers to the person or entity first named as such on the Declarations. 


If any provision of the policy contains cancellation or nonrenewal terms that are more favorable to the insured than those 
provided in this endorsement, then, except where prohibited by applicable state law, the more favorable terms control. 


All other provisions of the policy remain unchanged. 
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Endorsement 


Effective Date of Endorsement Policy Number Premium 
Number 


See Declarations Page12:01 a.m. on 


If the above date is blank, then this See Declarations 
endorsement is effective on the Page 
effective date of the policy. 


PRIVACY REGULATION DEFINITION CHANGE ENDORSEMENT - GDPR 
It is agreed that the definition of Privacy Regulation is amended to add the following: 


Privacy Regulation also specifically includes the General Data Protection Regulation (Regulation (EU) 2016/679) 
and any amendments thereto. 


All other provisions of the policy remain unchanged. 
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Endorsement No. Effective Date of Endorsement Policy Number Premium 


12:01 a.m. on 
If the above date is blank, then this endorsement is 
effective on the effective date of the policy. 


MITIGATION EXPENSE COVERAGE ENDORSEMENT 


SCHEDULE OF COVERAGES 
Limit of Insurance Retention 
Mitigation Expense $ Aggregate $ Each Claim 
If a Limit of Insurance is not stated for any coverage in the SCHEDULE OF COVERAGES above, the policy will not provide such coverage 


It is agreed that: 


1. 


Solely with respect to an Enterprise Security Event Claim, as applicable, under this policy, the following 
supplemental coverage is added to this policy if a Limit of Insurance is stated in the SCHEDULE OF COVERAGE: 


Supplemental Coverage — Mitigation Expense 


Subject to the Policy Limit of Insurance, the Insurer will indemnify the Named Insured for Mitigation Expense 
incurred in excess of the Mitigation Expense Retention and within the Mitigation Expense Limit set forth in the 
above Schedule of Coverages incurred by the Named Insured in response to a Circumstance that first occurs during 
the Policy Period; provided, however, that the Named Insured: 


1. gives the Insurer prompt notice of the Circumstance and obtains the Insurer’s approval before incurring any 
Mitigation Expense, or establishes to the Insurer’s satisfaction within thirty (30) days of first learning of the 
Circumstance that the Mitigation Expense was reasonably incurred; 


2. satisfies the Insurer, in its sole discretion, that, unless Mitigation Expense is incurred, such Circumstance is 
likely to result in a Claim, or in Claim Expenses or Damages equal to or in excess of the Mitigation 
Expense to be indemnified; 


3. satisfies the Insurer, in its sole discretion, that the Mitigation Expense to be incurred is necessary to avoid a 
Claim; and 


4. satisfies the Insurer, in its sole discretion, that the Insured is legally unable to recover such expenses and 
costs from any client, subcontractor or third party involved in the Circumstance. 


The LIMITS AND RETENTIONS section of the policy is amended to add the following provisions: 


Mitigation Expense Limit of Insurance and Retention 


Subject to the Policy Limit of Insurance, the amount stated in the SCHEDULE OF COVERAGE as the Mitigation 
Expense Aggregate Limit is the most the Insurer will pay for all Mitigation Expense covered under this endorsement, 
no matter how many Claims or Circumstances. 


If a retention for Mitigation Expense is indicated on the SCHEDULE OF COVERAGE, the Insured is responsible for 
payment of such retention for each Claim or Circumstance. All retentions will be borne by the Insureds uninsured 
and at their own risk. The Insurer’s obligation to pay any Mitigation Expense is excess of the applicable retention. 
The Limits of Insurance will not be reduced by the payment of any retention. 


The DEFINITIONS section of the policy is amended to add the following new definitions: 


Mitigation Expense means the Named Insured’s reasonable and necessary costs to correct a Circumstance for 
the purpose of limiting or reducing exposure to Damages or Claim Expenses. Mitigation Expense shall not include 
lost profits; lost business, fees due any Insured, any payment recoverable by any Insured from any client or any 
other party; or any salaries, wages, benefits, expenses, overtime or overhead. 
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Circumstance means any actual or alleged fact, situation, or event that is reasonably likely to give rise to a Claim, 
regardless of when such Claim is made. 


All other provisions of the policy remain unchanged. 
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Endorsement No. 


Effective Date of Endorsement 


Policy Number 


L] Additional/ 


L] Return Premium 


N/A 


12:01 a.m. on 


If the above date is blank, then this 
endorsement is effective on the effective date 
of the policy. 


See declarations 
page 


N/A 


INSURED ENTITY CHANGE ENDORSEMENT 


It is agreed that the definition of Insured Entity is deleted in its entirety and replaced with the following: 


Insured Entity means the Named Insured, any Subsidiary, each entity that enters into a program 
participation agreement with the Named Insured, and all active enrollees assocated with the program 
participation agreements. 


All other provisions of the policy remain unchanged. 
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Endorsement 


Effective Date of Endorsement Policy Number Premium 
Number 


PRIVASURE ENHANCEMENT ENDORSEMENT 


It is agreed: 


|. The SUPPLEMENTAL BENEFITS section of the policy is amended to add the following: 
Extortion Threat Reward Reimbursement Coverage 


The Insurer will reimburse the Insured Entity for monetary amounts it pays as a reward for information that leads to 
the arrest and conviction of persons responsible for making an Extortion Threat. The most the Insurer will reimburse 
for amounts under this supplemental benefit is $25,000 in the Policy Period, regardless of the number of Extortion 
Threats or informants, subject t availability of the Extortion Loss Limit of Insurance. Payments under this 
supplemental benefit will erode such Limit; however, this amount shall not be subject to the Extortion Loss 
Retention. 


As a condition precedent to reimbursement, the Extortion Threat must first be made during the Policy Period, and 
the Insurer must consent to the reward before it can be offered. The Insurer will not consent to or reimburse rewards 
offered to auditors or investigators for the Insured Entity, including external auditors or investigators, or Insured 
Individuals who are internal auditors or investigators or who supervise external auditors or investigators. 


The Claims-Made Liability Coverage Retention provision in C. Retention of the section entitled LIMITS OF 
INSURANCE, RETENTION AND REIMBURSEMENT is amended to add the following at the end thereof: 


The Insurer may elect to submit a Claim to binding arbitration or mediation with the Insured Entity’s consent. If the 
Insured Entity consents to the Insurer's request to submit a Claim to binding arbitration or mediation, and such 
Claim is, in fact, resolved within 180 days of initiation of such arbitration or mediation, the Insured Entity’s retention 
obligation as respects such Claim shall be reduced by 50 percent. 


Provision B. in the section entitled DEFENSE AND SETTLEMENT OF CLAIMS is deleted in its entirety and replaced 
with the following: 


B. The Insurer will have the right to appoint counsel on the Insured’s behalf and to investigate and settle a covered 
Claim as is deemed necessary by the Insurer. However, the Insurer will not settle a Claim without the Insured’s 
consent, such consent not to be unreasonably withheld. If the Insurer recommends a settlement of a Claim which 
is acceptable to the claimant, and the Insured refuses to consent to such settlement, then the Insurer’s obligation 
to pay Damages, Regulatory Loss and Claim Expenses on account of such Claim, will not exceed the sum of 
the amount for which the Insurer could have settled such Claim plus Claim Expenses incurred prior to the date 
of such settlement offer, plus eighty percent (80%) of Damages, Regulatory Loss and Claim Expenses 
combined that are incurred after the date of the Insured’s refusal to consent to such settlement. However, in no 
event will the Insurer's liability exceed the applicable Limits of Insurance. 


. The section entitled DEFENSE AND SETTLEMENT OF CLAIMS is amended by the addition of the following at the 


end thereof: 


Notwithstanding the foregoing, the Insured may select counsel to be appointed by the Insurer to defend a covered 
Claim. However, the Insurer shall have the right and opportunity to approve in writing the Insured’s selection of 
counsel prior to appointment of such counsel to defend such Claim and to require the Insured to revoke such 
counsel’s appointment. The Insurer’s prior written approval of counsel shall not be unreasonably withheld, and, with 
respect to revocation, it shall not be unreasonably exercised. If more than one Insured is involved in a Claim, the 
Insurer may withhold approval of separate counsel for one or more of such Insureds unless there is a material, actual 
or potential conflict of interest among such Insureds. 
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Vi. 


VII. 


AXIS PRO® PRIVASURE™ 


Counsel employed by the Insured shall comply with all litigation and billing standards and procedures requested by 
the Insurer. 


The first paragraph of provision B. Reporting of Claims and Events in the section entitled REPORTING OF 
CLAIMS AND EVENTS is deleted and replaced as follows: 


It is a condition precedent to coverage under this policy that: 


1. as soon as any Control Group Insured becomes aware of any Claim, the Insured must notify the Insurer in 
writing as soon as practicable, but in no event later than 60 days after the end of the Policy Period; 


2. as soon as any Control Group Insured becomes aware of any Enterprise Security Event, the Insured must 
immediately notify the Insurer in writing, but in no event later than 60 days after the Enterprise Security Event 
occurs; and 


3. as soon as any Control Group Insured becomes aware of any Extortion Threat, the Insured must immediately 
notify the Insurer in writing but in no event later than 60 days after the Extortion Threat first occurs. This notice 
must contain known details concerning the person or entity making the Extortion Threat, and all reasonably 
obtainable information concerning the time, place and other details of the Extortion Threat. 


Subparagraph 2. of the Optional Extended Reporting Period provision in the section entitled EXTENDED 
REPORTING PERIODS is deleted and replaced by the following: 


2. The Insurer must receive the Named Insured’s request for the Optional Extended Reporting Period by written 
notice together with the applicable premium, within 60 days after the end of the Policy Period. If the Insurer does 
not receive payment within 60 days following the effective date of termination or nonrenewal, the Insurer will not 
be required to provide any Optional Extended Reporting Period. Premium for the Optional Extended Reporting 
Period will be fully earned on the effective date thereof. Once in effect, the Optional Extended Reporting Period 
may not be canceled. 


The first paragraph of the definition of Damages in the section entitled DEFINITIONS is deleted and replaced by the 
following: 


Damages means monetary judgment, award or settlement, including pre-judgment interest, and amounts that are 
actual, statutory, punitive, multiplied or exemplary, if permitted by law in an applicable jurisdiction; and attorney’s fees 
and attorney’s expense included as part of a judgment, award or settlement. Damages also includes interest on any 
part of a judgment not exceeding the applicable Limits of Insurance that accrues after the entry of the judgment and 
before the Insurer has paid or tendered or deposited the applicable judgment amount in court. Damages does not 
mean Regulatory Loss. 


Vill.The definitions of Enterprise Security Event Claim and Privacy Regulation Claim in the section entitled 


DEFINITIONS are each amended to replace the following phrases as described below: 


e “any alternative dispute resolution proceeding” will be deleted and replaced by “any alternative dispute resolution 
proceeding, such as arbitration or mediation”; 


e “civil proceeding’ will be deleted and replaced by “civil or administrative proceeding” 


IX. The definition of Individual Insured, subparagraph 2, in the section entitled DEFINITIONS is deleted in its entirety 


and replaced by the following: 


2. an Insured Entity’s current or former partners, officers, directors and employees, including seasonal, temporary, 
and volunteer employees, but only with respect to their activities within the scope of their duties in their capacity 
as such; 
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X. The Authorizations condition in GENERAL CONDITIONS is deleted in its entirety and replaced with the following: 


Authorization 


The Named Insured is responsible for assurance of payment of all premiums and retentions. The Named 
Insured will have exclusive authority to act on behalf of all other Insureds with respect to providing and receiving 
notices of cancellation or nonrenewal, receiving any return premium, and purchasing any Optional Extended 
Reporting Period. In the event of a disagreement between any Insureds, the Named Insured will have exclusive 
authority to act on behalf of all other Insureds with respect to selection of counsel, negotiation of settlements and 
the decision to appeal or not to appeal any judgment. 


XI. Paragraph 1.b. of the Cancellation and Nonrenewal condition in the GENERAL CONDITIONS section of the policy 
is deleted in its entirety and replaced by the following: 


b. 


The Insurer may cancel this policy for non-payment of premium only. If the Insurer cancels, it will mail or deliver 
to the Named Insured written notice of cancellation at least ten (10) days before the effective date of 
cancellation. The Insurer will mail or deliver the notice to the Named Insured at the address stated on the 
Declarations. If notice of cancellation is mailed, proof of mailing will be sufficient proof of notice. Delivery of the 
notice will be the same as mailing. 


XII. Paragraph 1. of the New and Former Entities condition in the GENERAL CONDITIONS section of the policy is 
deleted in its entirety and replaced by the following: 


1. 


If during the Policy Period, the Named Insured obtains Management Control of any entity, then this policy will 
provide coverage for such newly created or acquired entity and its subsidiaries, directors, officers, or employees 
who would otherwise become an Insured pursuant to the terms and conditions of this policy. However, if any 
such newly acquired or created entity's gross revenues exceed twenty-five percent (25%) of the Insured Entity 
combined annual gross revenues at the effective date of this policy, such entity will only be deemed a Subsidiary 
under this policy for a period of ninety (90) days following such acquisition or creation. If the Named Insured 
seeks coverage for such entity beyond ninety (90) days, it must give written notice within ninety (90) days of such 
creation or acquisition and it must provide any necessary underwriting information and pay any additional 
premium as the Insurer may require. Coverage will continue beyond such ninety (90) day period only if the 
Insurer, in its sole discretion, agrees to provide coverage to such entity and its subsidiaries, directors, officers or 
employee as evidenced in an endorsement to this policy. 


All other provisions of the policy remain unchanged 
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Endorsement No. Effective Date of Endorsement Policy Number Premium 


12:01 a.m. on 


If the above date is blank, then this endorsement 
is effective on the effective date of the policy. 


PCI RE-CERTIFICATION SERVICES EXPENSE CHANGE ENDORSEMENT 
It is agreed that the section entitled DEFINITIONS is amended as follows: 
|. The definition of Forensic and Legal Expense is amended to add the following at the end thereof: 


Forensic and Legal Expense also means the reasonable costs of PCI Re-Certification Services incurred by or on 
behalf of an Insured Entity in excess of the Insured Entity's normal operating costs and with the prior written 
approval of the Insurer. 


Il. The following new definition is added: 


PCI Re-Certification Services means the services of a third party computer security expert to re-certify the Insured 
Entity’s compliance with the PCI Security Standards Council’s payment card industry data security standards after an 
Enterprise Security Event, provided that: 


1. such recertification is required under the terms of the Insured Entity’s Merchant Services Agreement with a 
credit or debit card issuing company; and 


2. such Enterprise Security Event comprises one of the events described in sub-paragraphs 1., 2. or 3. of the 
definition thereof and directly results in the release, disclosure, theft, loss, alteration, corruption, destruction, 
deletion or damage to Protected Personal Information. 


PCI Re-Certification Services does not mean any services or activities performed to update, upgrade, enhance, 
or replace the Insured Entity’s computer system, nor to identify or remove software program errors, computer 
viruses or vulnerabilities. 


All other provisions of the policy remain unchanged. 
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